Vulnerable Popup Builder Wordpress plugin attacked by malware

published: Jan. 12, 2024

Take action: If you are using Popup Builder plugin for Wordpress, update ASAP. Also, check for 'wp-felody.php' plugin, which is an indicator of compromise.


Learn More

Over 6,700 WordPress websites, using an outdated version of the Popup Builder plugin, have been infected by the Balada Injector malware since mid-December. The Popup Builder plugin for WordPress is a tool designed for creating a variety of popups on WordPress websites. It offers a range of popup types and customizable options suitable for marketing, informational, and functional purposes.

The Balada Injector targets vulnerabilities like CVE-2023-6000, a cross-site scripting flaw in Popup Builder, to inject backdoors that redirect visitors to scam sites. The latest attack wave, starting on December 13, 2023, involved modifying WordPress files and using a disguised plugin named 'wp-felody.php' for executing malicious activities, including code execution and fetching additional payloads.

This malware campaign, active since 2017 and compromising over 17,000 sites, was further analyzed by the companies Dr. Web and Sucuri.

Sucuri's analysis indicates a deliberate effort to conceal the attack's origin, using methods like Cloudflare firewalls. Protection against such attacks involves updating WordPress themes and plugins, removing unsupported products, and minimizing the number of active plugins to reduce the risk of automated breaches.

Vulnerable Popup Builder Wordpress plugin attacked by malware