Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin

by | Jan 17, 2024 | Digital Marketing, Research, Vulnerabilities, WordPress Security

The article details the discovery of an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin. This vulnerability allows an unauthenticated attacker to inject arbitrary JavaScript, which will be executed when a user accesses an injected page. The article also discusses a malware submission demonstrating how this vulnerability in a single plugin can allow an unauthenticated attacker to inject an arbitrary administrative account, potentially leading to a website takeover.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a malware signature to detect this malicious file on January 11th, 2024, with Wordfence free users set to receive the signature on February 11th, 2024. Additionally, all Wordfence users are protected against any exploits targeting this vulnerability.

The attack technique, as explained in the article, involves the injection of malicious code in the “Custom JS” options of the Popup Builder plugin through an unauthenticated HTTP request. This code can be used to create rogue admin accounts, allowing the attacker full control over the compromised website. The attackers’ domain was identified as wpemojii[.]com, which was added to the Threat Intelligence malicious domains database. The article also provides a timeline of events related to the discovery and response to the vulnerability.

The article concludes with a reminder of the protection provided to Wordfence users against this vulnerability and emphasizes the sophistication of the attack method. The Popup Builder plugin has also undergone several security-related releases in response to the discovery of the vulnerability.

In response to the potential compromise of websites due to this vulnerability or any other, Wordfence offers Incident Response services through Wordfence Care, and immediate site cleaning through Wordfence Response, with 24/7/365 availability and a 1-hour response time.

The article was published with a special thanks to Roberto Garaffa /, who reported the code injection sample.

Read Full Article



Pin It on Pinterest