Best Practices

CVE-2023-6000 Alert: Malicious Plugin Exploit Hits Over 3,300 WordPress Sites

Discover how over 3,300 WordPress sites were compromised through a Popup Builder plugin bug and learn steps to secure your site against this vulnerability. Stay protected with our latest security insights.
Share on social media

In a striking revelation that underscores the ever-present vulnerabilities in popular web platforms, over 3,300 WordPress sites have been compromised through an exploit in the Popup Builder plugin. This breach highlights a sophisticated malware campaign that utilizes a cross-site scripting bug, known as CVE-2023-6000, targeting sites still operating on outdated versions of this widely-used plugin.

The Core of the Compromise

The attackers ingeniously exploited the vulnerability to inject malicious code into the WordPress admin interface, specifically within the Custom JavaScript or Custom CSS sections. This code, residing in the 'wp_postmeta' database table, was crafted to redirect unsuspecting visitors to phishing and malware distribution sites. Such a tactic not only jeopardizes the security of the website owners but also poses a significant risk to site visitors.

The Scope of the Attack

While over 3,300 sites have been directly affected, the potential for further breaches remains alarmingly high, with more than 80,000 sites estimated to be using vulnerable versions of the Popup Builder plugin. The campaign's sophistication is evident in the various code injection variants designed for different plugin events, all aimed at executing the malicious redirects seamlessly.

The Response and Recommendations

In response to this widespread vulnerability, website owners are urged to promptly update to the latest version of the Popup Builder plugin, version 4.2.7, which addresses this critical flaw. Moreover, blocking the domains "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com" has been recommended as a preventive measure against these attacks.

The Bigger Picture

This incident is part of a broader trend of exploiting WordPress sites for malicious purposes, including distributed brute-force attacks and crypto drainer injections. The shift in attack methods from crypto drainers to distributed brute-force efforts hints at threat actors' evolving strategies and profit motives. With the vast number of WordPress sites serving as potential targets, the need for vigilance and proactive security measures has never been more pressing.


The exploitation of the Popup Builder plugin on WordPress sites serves as a critical reminder of the vulnerabilities inherent in widely-used web platforms. It underscores the importance of maintaining up-to-date software and implementing comprehensive security practices to safeguard against sophisticated cyber threats. As the digital landscape continues to evolve, so too do the tactics of cybercriminals, making it imperative for website owners to stay informed and prepared.

Action Steps for WordPress Site Owners

In light of these attacks, WordPress site owners should take immediate action to secure their sites:

  • Update Your Plugins: Ensure that all plugins, especially Popup Builder, are updated to their latest versions.
  • Monitor and Block Malicious Domains: Implement firewall rules or other security measures to block known malicious domains.
  • Regularly Scan for Vulnerabilities: Use security plugins or services to scan your WordPress site for vulnerabilities and unauthorized code injections.
  • Educate and Inform: Stay informed about the latest security threats and educate your team or co-administrators on best practices for web security.

By adopting these proactive measures, WordPress site owners can significantly reduce their risk of falling victim to these and future security threats.

Ensure Comprehensive Protection with ThreatKey: Don't wait for a vulnerability like CVE-2023-6000 to expose your WordPress site—or any part of your SaaS and Cloud infrastructure. With ThreatKey, get ahead of threats with all-around protection, safeguard your data, and protect your online operations today.


Q: How do I know if my WordPress site is affected by the Popup Builder plugin vulnerability?
A: Check your site's plugin versions. If you're using Popup Builder version 4.2.3 or older, your site is at risk. Consider using security plugins or services that can scan for vulnerabilities and detect unauthorized code injections.
Q: What steps should I take if my WordPress site is compromised?
A: Immediately update the Popup Builder plugin to the latest version, currently 4.2.7, which patches the vulnerability. Additionally, search for and remove any malicious code from the Custom JavaScript or Custom CSS sections, and scan your site for other potential backdoors or infections.
Q: How can I protect my WordPress site from similar vulnerabilities in the future?
A: Regularly update all plugins, themes, and the WordPress core. Utilize reputable security plugins to monitor your site for vulnerabilities and unauthorized changes. Implement strong passwords and consider using a web application firewall for added security.
Q: Why is it important to block the domains "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com"?
A: These domains are associated with the malicious activities stemming from the Popup Builder plugin vulnerability. Blocking them can prevent further attacks and protect site visitors from being redirected to phishing or malware-distributing websites.
Q: Can updating the Popup Builder plugin to version 4.2.7 completely secure my site?
A: Updating to version 4.2.7 patches the specific vulnerability (CVE-2023-6000) but does not guarantee complete site security. Continuous monitoring, regular updates, and implementing additional security measures are crucial for maintaining a secure WordPress site.
Most popular
Subscribe to know first

Receive monthly news and insights in your inbox. Don't miss out!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.