Thousands of WordPress sites impacted by Balada Injector campaign

BleepingComputer reports that more than 6,700 WordPress sites leveraging Popup Builder plugin vulnerable to the cross-site scripting bug, tracked as CVE-2023-6000, have been compromised in a new Balada Injector campaign that commenced last month. Attackers exploited the flaw to take over Popup Builder's "sgpbWillOpen" event and facilitate malicious JavaScript code injection upon the launching of a popup, a report from Sucuri showed. Such JavaScript code was also executed by threat actors through changes to the "wp-blog-header.php" file. Numerous script sets were then loaded to execute Balada masquerading as the "felody" plugin, which not only enables arbitrary PHP code execution, file uploads and execution, and attacker communications but also further payload retrieval. Further examination of the campaign's domains also revealed Cloudflare firewall usage to conceal the attacks' origins. Such a development should prompt organizations to ensure the use of updated WordPress plugins and themes, as well as remove no longer supported tools, on their WordPress sites.