Hackers have recently exploited a vulnerability in outdated versions of the Popup Builder plugin to breach WordPress sites, infecting over 3,300 websites with malicious code. The flaw leveraged in the attacks is tracked as CVE-2023-6000, a cross-site scripting (XSS) vulnerability impacting Popup Builder versions 4.2.3 and older, which was initially disclosed in November 2023. 

According to reports, the attacks infect the Custom JavaScript or Custom CSS sections of the WordPress admin interface, and the malicious code is stored within the ‘wp_postmeta’ database table. The primary function of the injected code is to act as event handlers for various Popup Builder plugin events, such as ‘sgpb-ShouldOpen’, ‘sgpb-ShouldClose’, ‘sgpb-WillOpen’, ‘sgpbDidOpen’, ‘sgpbWillClose’, and ‘sgpb-DidClose.’ The attackers achieve malicious goals by redirecting visitors of infected sites to malicious destinations such as phishing pages and malware-dropping sites. The attacks originated from the domains “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com,” so blocking these two is recommended. 

WordPress site owners who are using the Popup Builder plugin must upgrade to the latest version, currently 4.2.7, which addresses CVE-2023-6000 and other security problems.