"Massive Malware Campaign Targets Thousands of WordPress Sites via Plugin Vulnerabilities"
A malware campaign has exploited a security flaw in the Popup Builder plugin for WordPress, infecting over 3,900 sites by injecting malicious JavaScript code. The attacks, orchestrated from new domains, exploit a vulnerability to create rogue admin users and install arbitrary plugins. WordPress site owners are advised to update their plugins, scan for suspicious code or users, and perform cleanup. Additionally, a high-severity bug in the Ultimate Member plugin has been disclosed, allowing unauthenticated attackers to inject malicious web scripts, emphasizing the importance of keeping website software patched and up-to-date.
