Massive Malware Campaign Exploits WordPress Popup Plugin to Infect 3,900+ Websites

Published October 27, 2025 | By WP Manage

🔍 Overview

A widespread malware campaign has compromised over 3,900 WordPress websites by exploiting a vulnerability in the popular Popup Builder plugin. The flaw, tracked as CVE-2023-6000, allows attackers to inject malicious JavaScript into websites, redirecting visitors to fraudulent or malicious pages.

Security researchers from Sucuri and BleepingComputer discovered that the attackers are leveraging a stored cross-site scripting (XSS) vulnerability that affects unpatched versions of the plugin. Despite a patch being released months ago, thousands of sites remain unprotected and actively infected.

⚠️ What Happened

Attackers targeted websites running Popup Builder versions prior to 4.2.3, which contained an unauthenticated stored XSS flaw.
By exploiting it, they were able to inject malicious JavaScript directly into the plugin’s Custom JS/CSS feature.

The injected script is stored in the WordPress database under:

wp_postmeta → sg_popup_scripts

When a visitor opens the infected site, the popup automatically executes the injected script, often redirecting users to external domains serving phishing, adware, or drive-by download pages.

📈 Scope of the Attack

Over 3,900 infected domains identified through PublicWWW and Sucuri telemetry.
Variants of the injected script have been observed since March 2024, with new infections still appearing.
Sites across industries — from blogs to e-commerce — have been affected.

🧠 Why It Worked

This campaign succeeded because:

The vulnerability required no authentication to exploit.
Many site owners failed to update the plugin promptly.
Attackers automated scanning and injection using known exploit code.

In short: outdated plugins remain one of the easiest ways for hackers to compromise WordPress sites.

🕵️ Indicators of Compromise (IOCs)

If you suspect your site may be affected, check for the following red flags:

Unknown or suspicious JavaScript inside Popup Builder → Custom JS/CSS.

Database entries with:

SELECT * FROM wp_postmeta WHERE meta_key = 'sg_popup_scripts';

Code fragments like:

<script id="sgpb-custom-script">
sgpbWillOpen...
</script>

Unexpected redirects to unknown domains when opening a page with a popup.

🧹 How to Clean and Protect Your Site

Step 1. Update the Plugin

Immediately update Popup Builder to version 4.2.3 or higher.
If you can’t update right away, deactivate it temporarily.

wp plugin update popup-builder

Step 2. Remove Malicious Scripts

Manually inspect and remove injected code:

From the plugin’s Custom JS/CSS section.
Or directly from the database (sg_popup_scripts field).

Step 3. Scan for Backdoors

Run a malware scan using tools like:

Step 4. Change All Passwords

Reset all WordPress admin, hosting, and FTP passwords.
Enable two-factor authentication wherever possible.

Step 5. Harden Your WordPress

Keep all plugins and themes updated.
Limit admin accounts.
Use a Web Application Firewall (WAF) to block automated attacks.
Regularly back up your site and database.

🧩 Lessons Learned

This campaign is another reminder that:

Even legitimate and widely used plugins can become attack vectors.
Timely patching is your first line of defense.
Security monitoring and backups can drastically reduce downtime in case of infection.

📰 References

💡 Final Thoughts

If you’re running a WordPress site, check your plugin list today.
Outdated or unused extensions can quietly expose your site — and your visitors — to significant risk.

A simple update can be the difference between a secure website and a compromised one.

Would you like me to:

format this post for WordPress (HTML version) so you can paste it directly into your CMS, or
convert it into a PDF or DOCX security bulletin for sharing with clients or your team?