The recent surge in cybersecurity threats has seen over 7,100 WordPress sites compromised by malware known as Balada Injector. This malware campaign, which has been active since 2017, exploits vulnerabilities in WordPress plugins, particularly the Popup Builder plugin. The compromised sites have been redirected to fraudulent web pages, including bogus tech support, fake lottery wins, and push notification scams.

The Balada Injector malware leverages a severe vulnerability in the Popup Builder plugin, identified as CVE-2023-6000, with a high CVSS score of 8.8. This vulnerability, once exploited, allows attackers to perform actions similar to those of a logged-in administrator, including installing arbitrary plugins and creating rogue administrator accounts. The malicious JavaScript file, hosted on a domain named specialcraftbox[.]com, is used to gain control over the website and facilitate these redirects.

Sucuri, a GoDaddy-owned website security company, has played a pivotal role in detecting and analyzing this malware campaign. Their findings indicate that the attackers establish persistent control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators. This approach specifically targets logged-in site administrators, using JavaScript injections to emulate administrator activity and exploit their elevated privileges.

The recent attacks are just the latest in a series of periodic waves that have seen the Balada Injector malware infecting over a million WordPress sites since its inception. This highlights the ongoing and evolving nature of cybersecurity threats and underscores the importance of regular updates and patches to web applications and plugins​​​​​​.