WordPress Woes: Thousands of Sites Hacked via Popup Plugin Vulnerability!

Don’t let your WordPress popups pop your security bubble! Over 3,000 websites didn’t update a plugin and got a nasty surprise: a one-way ticket to Hacksville. Update or risk the digital hijinks! #PopupBuilderPandemonium 🚨💻🎈

Hot Take:

Remember when we thought pop-ups were just annoying? Well, now they’re downright malicious. More than 3,000 WordPress websites fell victim to a party crasher, a.k.a. an XSS vulnerability in Popup Builder. The moral of the story? Update your plugins, folks, or you might unwittingly host the internet equivalent of a sketchy back-alley deal.

Key Points:

  • Over 3,000 WordPress sites have been compromised due to an XSS vulnerability in the Popup Builder plugin.
  • The bug, known as CVE-2023-6000, was discovered in November but continues to be exploited by cyber ne’er-do-wells.
  • Vulnerable versions of Popup Builder are still being used on more than 80,000 websites—talk about an open invitation!
  • Sucuri and PublicWWW have different tallies for the breach, but both agree it’s in the thousands.
  • Site admins are advised to update plugins, scour for nasty code, and block specific domains to prevent further digital shenanigans.
Title: Popup Builder < 4.2.3 - Unauthenticated Stored XSS
Cve id: CVE-2023-6000
Cve state: PUBLISHED
Cve assigner short name: WPScan
Cve date updated: 01/01/2024
Cve description: The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

Need to know more?


It's like a B-grade horror flick, but for the digital age—thousands of WordPress websites, once bustling hubs of content, now zombified to serve the whims of unseen puppet masters. The culprit? A sneaky XSS flaw in Popup Builder that's been around since last November. It's like leaving your front door open and then wondering why there's a raccoon party in your living room.

The Numbers Game

When it comes to the count of compromised websites, it seems like our cyber-sleuths can't quite agree. Sucuri's got the number at a precise 1,170, while PublicWWW is throwing around a more casual 3,300. Maybe they should just meet in the middle and call it a cyber catastrophe?

A Patch in Time Saves Nine... Thousand

What's the cyber equivalent of an apple a day? Updating your plugins, of course! Popup Builder patched the flaw with version 4.2.7, but for some, that's a stable door swinging in the wind long after the horse has bolted. And now, webmasters are being told to play digital detective to root out any lingering bad bits of code.

Block Party

It's not just a game of whack-a-mole with malicious code; admins have to play bouncer too. Blocking the domains "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com" is on the to-do list, as they're apparently the cybercrime VIPs of this unwanted event.

Old Habits Die Hard

Attacks on third-party WordPress plugins and themes are as surprising as finding out that water is wet. Yet, it seems some webmasters are stuck in a loop of surprise, dismay, and frantic patching. Maybe it's time to break the cycle and actually stay ahead of the updates? Just a thought.

Remember, in the world of WordPress, being fashionably late with updates is a major faux pas. It's better to be the one who arrives early, updates in hand, ready to fend off the cyber-pests. So go forth, update, and may your pop-ups be ever benign!

Tags: backdoor prevention, malicious redirection, plugin updates, Popup Builder plugin, website security, WordPress Plugins, XSS Vulnerability