via wordfence.com => original post link
On December 11, 2023, we added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to our Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page.
Later on January 10th, 2024 we received an interesting malware submission demonstrating how a Cross-Site Scripting (XSS) vulnerability in single plugin can allow an unauthenticated attacker to inject an arbitrary administrative account that can be used to take over a website. This type of vulnerability is often exploited in order to add spam content or malicious redirects to a compromised website, which we frequently see when performing Care and Response site cleanings. However, this time we found a successful attempt to directly inject a WordPress administrator account, one of the few we’ve been able to definitively attribute to this technique with the evidence still preserved.
Wordfence Premium, Wordfence Care, and Wordfence Response, along with Wordfence CLI Paid users received a malware signature to detect this malicious file on January 11th, 2024. Wordfence free users will receive this signature after 30 days on February 11th, 2024. In addition, Wordfence Premium, Wordfence Care, and Wordfence Response, along with those still using the free version, are protected against any exploits targeting this vulnerability.