CVE-2023-6000
published 2024-01-01CVE-2023-6000: The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which…
PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.00%
78.3th percentile
The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chrome_chrome | — | — | |
| sygnoos | popup_builder | < 4.2.3 | 4.2.3 |
Detection & IOCsextracted from sources · hover to see the quote
commandsgpb-is-preview=1&post_ID={{popup_id}}&sgpb-type=html&sgpb-WillOpen=alert('document.domain');
otherfofa-query: body="/wp-content/plugins/popup-builder"
otherpublicwww-query: "/wp-content/plugins/popup-builder/"
- →Monitor the 'wp_postmeta' database table for malicious JavaScript injected via Popup Builder's Custom JavaScript or Custom CSS sections. ↗
- →Detect malicious event handler injections targeting Popup Builder plugin events: 'sgpb-ShouldOpen', 'sgpb-ShouldClose', 'sgpb-WillOpen', 'sgpbDidOpen', 'sgpbWillClose', and 'sgpb-DidClose'. ↗
- →Detect exploitation attempts via unauthenticated POST requests containing 'sgpb-is-preview=1' and 'sgpb-WillOpen' parameters with JavaScript payloads.
- →Look for the presence of the rogue plugin file 'wp-felody.php' on the filesystem, which serves as the main backdoor dropped after initial compromise. ↗
- →Check for unauthorized modifications to wp-blog-header.php as a secondary infection indicator used to inject the JavaScript backdoor. ↗
- →Detect the 'sgpbWillOpen' event being hijacked in the site's database as an indicator of Balada Injector compromise. ↗
- →Alert on admin-related cookie checks in injected scripts, which attackers use to load additional script sets for backdoor deployment. ↗
- ·The vulnerability affects Popup Builder versions 4.2.3 and older; version 4.2.7 is the patched release addressing CVE-2023-6000. ↗
- ·At least 80,000 active sites still use Popup Builder 4.1 and older, meaning the attack surface remains large and scanning for vulnerable installs is warranted. ↗
- ·Infection removal requires deleting malicious entries from Popup Builder's custom sections AND scanning for hidden backdoors to prevent reinfection. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fhw3-qv5f-7vrw: The Popup Builder WordPress plugin before 4
ghsa_unreviewed·2024-01-01
CVE-2023-6000 [MEDIUM] CWE-79 GHSA-fhw3-qv5f-7vrw: The Popup Builder WordPress plugin before 4
The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
VulnCheck
sygnoos popup_builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2023·CVSS 6.1
CVE-2023-6000 [MEDIUM] sygnoos popup_builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
sygnoos popup_builder Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
Affected: sygnoos popup_builder
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html; https://blog.sucuri.net/2024/03/new-malware-campaign-found-exploiting-stored-xss-in-popup-builder-4-2-3.html
Exploit PoC: https://vulncheck.com/xdb/e2709560a5b0
Chrome
Stable Channel Update for Desktop: CVE-2023-6705
vendor_chrome·2023-12-12·CVSS 8.8
CVE-2023-6705 [HIGH] Stable Channel Update for Desktop: CVE-2023-6705
Stable Channel Update for Desktop
CVE-2023-6705: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-11-28 [$6000][ 1500921 ] High CVE-2023-6706: Use after free in FedCM
Reported by anonymous on 2023-11-09 [$7000][ 1504036 ] Medium CVE-2023-6707: Use after free in CSS
Severity: high
Chrome
Stable Channel Update for ChromeOS/ChromeOS Flex: CVE-2023-5476
vendor_chrome·2023-10-18·CVSS 8.8
CVE-2023-5476 [MEDIUM] Stable Channel Update for ChromeOS/ChromeOS Flex: CVE-2023-5476
Stable Channel Update for ChromeOS/ChromeOS Flex
CVE-2023-5476: Use after free in Blink History. Reported by Yunqin Sun on 2023-08-20 [$500][ 1471253 ] Medium CVE-2023-5479: Inappropriate implementation in Extensions API
Reported by Axel Chong on 2023-08-09 [$6000][ 1395164 ] Low CVE-2023-5485: Inappropriate implementation in Autofill
Severity: medium
Chrome
Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-4904
vendor_chrome·2023-09-26·CVSS 4.3
CVE-2023-4904 [MEDIUM] Stable Channel Update for ChromeOS / ChromeOS Flex: CVE-2023-4904
Stable Channel Update for ChromeOS / ChromeOS Flex
CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09 [$6000][ 1449874 ] Low CVE-2023-4906: Insufficient policy enforcement in Autofill
Reported by Ahmed ElMasry on 2023-05-30 [$2000][ 1451543 ] Low CVE-2023-4908: Inappropriate implementation in Picture in Picture
Severity: medium
Chrome
Stable Channel Update for Desktop: CVE-2023-7012
vendor_chrome·2023-09-12·CVSS 4.3
CVE-2023-7012 [MEDIUM] Stable Channel Update for Desktop: CVE-2023-7012
Stable Channel Update for Desktop
CVE-2023-7012: Insufficient data validation in Permission Prompts. Reported by koocola (@alo_cook) and Nan Wang (@eternalsakura13) of 360 Alpha Lab on 2022-10-28 [$6000][ 1449874 ] Low CVE-2023-4906: Insufficient policy enforcement in Autofill
Reported by Ahmed ElMasry on 2023-05-30 [$2000][ 1462104 ] Low CVE-2023-4907: Inappropriate implementation in Intents
Severity: medium
No detection rules found.
Exploit-DB
Saflok - Key Derication Function Exploit
exploitdb·2024-02-28
Saflok - Key Derication Function Exploit
Saflok - Key Derication Function Exploit
---
// Exploit Title: Saflok KDF
// Date: 2023-10-29
// Exploit Author: a51199deefa2c2520cea24f746d899ce
// Vendor Homepage: https://www.dormakaba.com/
// Version: System 6000
// Tested on: Dormakaba Saflok cards
// CVE: N/A
#include
#include
#define MAGIC_TABLE_SIZE 192
#define KEY_LENGTH 6
#define UID_LENGTH 4
int main(int argc, char *argv[]) {
if (argc != 2) {
printf("Usage: %s \n", argv[0]);
return 1;
}
uint8_t magic_table[MAGIC_TABLE_SIZE] = {
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xF0, 0x57, 0xB3, 0x9E, 0xE3, 0xD8,
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x96, 0x9D, 0x95, 0x4A, 0xC1, 0x57,
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x43, 0x58, 0x0D, 0x2C, 0x9D,
0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFF, 0xCC, 0xE0, 0x05, 0x0C, 0x43,
0x00, 0x00,
Nuclei
WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS
nuclei·CVSS 6.1
CVE-2023-6000 [MEDIUM] WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS
WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS
The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
Template:
id: CVE-2023-6000
info:
name: WordPress Popup Builder <= 4.2.3 - Unauthenticated Stored XSS
author: riteshs4hu
severity: medium
description: |
The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.
impact: |
Unauthenticated attackers can update existing popups and inject raw JavaScript to achieve stored cross-site scripting attacks against WordPress Popup Builder users.
remediation: Fixed in 4.2.
Bleepingcomputer
Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware
blogs_bleepingcomputer·2024-03-10·CVSS 6.1
CVE-2023-6000 [MEDIUM] Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware
## Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware
## Bill Toulas
Hackers are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code.
The flaw leveraged in the attacks is tracked as CVE-2023-6000, a cross-site scripting (XSS) vulnerability impacting Popup Builder versions 4.2.3 and older, which was initially disclosed in November 2023.
A Balada Injector campaign uncovered at the start of the year exploited the particular vulnerability to infect over 6,700 websites , indicating that many site admins hadn't patched quickly enough.
Sucuri now reports spotting a new campaign with a notable uptick in the past three weeks, targeting the same vulnerability on the Word
Bleepingcomputer
New Balada Injector campaign infects 6,700 WordPress sites
blogs_bleepingcomputer·2024-01-11·CVSS 6.1
[MEDIUM] New Balada Injector campaign infects 6,700 WordPress sites
## New Balada Injector campaign infects 6,700 WordPress sites
## Bill Toulas
A little over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware in a campaign that launched in mid-December.
Initially documented by researchers at Dr. Web who observed coordinated attack waves leveraging known flaws in WordPress themes and addons, it was later discovered that Balada Injector was a massivee operation running since 2017 that had compromised more than 17,000 WordPress sites.
The attacks inject a backdoor that redirects visitors of compromised sites to fake support pages, lottery sites, and push notification scams.
## Latest campaign
The latest Balada Injector campaign launched on December 13, 2023, two days after
2024-01-01
Published
Exploited in the wild