MalCare Proactively blocks 100,000+ attacks Targeting Popup Builder XSS vulnerability


MalCare has been proactively blocking over 100,000 cross-site scripting (XSS) attacks daily targeting customer websites. These attacks attempt to exploit a vulnerability found in the popular Popup Builder plugin, and MalCare’s Atomic Security has stopped them cold—without needing a special patch. 

This vulnerability has seen a huge volume of attacks because it has a very low barrier to entry. This means the hacker doesn’t need an account on the target site for an attack to be successful. A single request is all it takes, and the site is breached. The next step is to fill it up with malware and take it over completely. All of this can take less than five minutes. 

Popup builder plugin
Popup Builder plugin

100k WordPress sites are at risk

In addition to the vulnerability being very dangerous and easily exploitable, it is also widespread. 

Over 100,000 sites are using the vulnerable version of the Popup Builder plugin (v4.2.2 and earlier). With an active installation count of over 200,000, this statistic shows that more than 50% of the total sites using this plugin are at risk of suffering XSS attacks.

Popup Builder plugin usage details
Popup Builder active version stats

These attacks are so serious that even a single request is enough for hackers to take over your site completely. MalCare has cleaned thousands of unprotected sites that were hacked by exploiting the Popup Builder vulnerability. 

These attacks have only increased in number once the vulnerability was disclosed, and now, MalCare has been repelling over 100,000 attacks daily on its customer sites from day one. Therefore, MalCare-protected sites with the vulnerable plugin were not affected by the attacks at all. 

Attacks blocked by MalCare over the last 30 days

Despite this, we strongly recommend you update the Popup Builder plugin on your WordPress site immediately.

What is the Popup Builder plugin vulnerability?

Plugin information

  • Vulnerable plugin version: v4.2.2 and earlier
  • Patched plugin version: v4.2.3 and newer

About the vulnerability

Popup Builder is a popular WordPress plugin, seeing over 200,000 active installs. It helps create customizable popups for websites and boasts an intuitive, user-friendly interface along with a custom CSS/JS coding space. It provides both free and paid popups with various features that help websites stand out when marketing themselves.

The Popup Builder vulnerability stems from insufficient input sanitization and output escaping. This means that unauthenticated attackers can inject arbitrary web scripts in web pages that will execute whenever a user accesses such an injected page. 

This is usually followed by the attackers uploading a malicious plugin to the site or creating a malicious admin, which leads to a complete takeover of the website. This kind of attack does not require the attacker to possess any account or privilege on the website and therefore has a very low barrier to entry.

The vulnerability has now been fixed with the release of Popup Builder v4.2.3 on December 7, 2023.

Additional information

Top origin IP addresses for these attacks

Top origin countries for these attacks



Popup Builder plugin hacker script 1
Popup Builder plugin hacker script 2
Sample hacker scripts

Who discovered this vulnerability?

The vulnerability in the Popup Builder plugin was discovered by Automattic security researcher Marc-Alexandre Montpas. Subsequently, the developer released the patch on December 7, 2023, followed by a full disclosure of the vulnerability on December 11, 2023.

How is your WordPress site at risk?

Your WordPress site is at risk if it runs the Popup Builder plugin v4.2.2 or earlier.

Hackers can exploit this particular vulnerability to conduct harmful activities, such as:

  • Injecting malicious scripts for phishing or clickjacking attacks, or simply to redirect users to prohibited sites,
  • Using compromised sites as command-and-control centers for broader attacks and eventually getting them blacklisted by Google,
  • Installing backdoors to re-infect cleaned sites,
  • Creating unauthorized admin accounts to seize complete control over sites, and
  • Accessing and stealing sensitive information like user credentials and personal details stored in databases.

Addressing this vulnerability is crucial. To date, more than 100,000 sites worldwide have not updated to the patched version of this plugin, despite the vulnerability being disclosed about 3 months ago. This leaves them, and their visitors, exposed to potential attacks—unless of course, they are using MalCare.

What are the symptoms of a hacked site?

If you have reason to suspect that your WordPress site might have fallen victim to attacks exploiting this vulnerability, here are some signs you need to look out for:

  • An admin user account with the username wpx or email
  • An admin user account with the username crander or email
  • Presence of the wp-felody WordPress plugin
Popup Builder plugin hacker activity
Hacker activity as seen on MalCare’s Activity Log

If you see any of these signs, it might be that your site is compromised. Take immediate action to update the Popup Builder plugin and clean your site using MalCare.

How to clean your site?

If your WordPress site has been attacked, don’t worry. There are effective steps to recover and secure your site:

  • Start with MalCare: Installing MalCare is your priority. Its sophisticated technology quickly cleans malware and prevents future attacks with its Atomic Security feature.
  • Check user roles and permissions: Examine the roles and permissions of all users. Remove any suspicious access immediately.
  • Update WordPress salts and security keys: Doing this will log out all users and terminate all sessions, enhancing your site’s security. MalCare helps you reset WordPress salts and security keys right when you clean your site.
  • Change login credentials: Immediately update your admin password. Ensure all users log out, reset their passwords, and set strong new ones.
  • Enhance login security: Adding two-factor authentication (2FA) and setting limits on login attempts can greatly reduce the risk of unauthorized access.
  • Monitor your site with alerts: With MalCare, you’re covered in this area. MalCare tracks site activities and alerts you to suspicious behavior, while constantly scanning for malware.

Is the update going to break your site?

Short answer: no it will not. 

If you are concerned about whether updating the Popup Builder plugin would affect your live site, worry not! The updates following v4.2.2 have all scored above 90 on our UpdateLens tests. This shows that updating to the latest version of the Popup Builder plugin is safe and sound.

Popup Builder plugin UpdateLens score
UpdateLens data for Popup Builder plugin updates

UpdateLens is our intelligent plugin update engine that provides you with a confidence score for each pending plugin update. It takes into consideration various factors such as code changes, version gaps, etc. to score every update. A score of 75 or higher means the plugin can be updated safely without disrupting your live site.

This situation has highlighted a broader concern within the WordPress community: a hesitation to update regularly, either due to a lack of awareness or worry about disrupting site functionality. This is why we also came up with UpdateLens: to take the stress out of applying critical updates.

MalCare’s continuous security research

Our comprehensive study of thousands of Cross-Site Scripting (XSS) vulnerabilities has yielded some critical insights into the landscape of WordPress web security. Despite XSS vulnerabilities generally receiving lower Common Vulnerability Scoring System (CVSS) scores compared to PHP object injection vulnerabilities, our research indicates they are 10 times more likely to result in a website being compromised.

XSS attacks come in many forms, but notably, the industry has struggled to counter JavaScript (JS) context attacks effectively. These vulnerabilities represent a significant risk, as we’ve identified them as a common denominator in millions of WordPress site security breaches. Our analysis included a deep dive into thousands of incidents involving JS-based malware, providing us with a unique view of the attack vectors used.

How Atomic Security protects a WordPress site

By meticulously studying hundreds of patterns in hacker scripts, including the sophisticated methods they use for obfuscation, we’ve accumulated a wealth of knowledge on how these attacks are constructed. Leveraging this understanding, we’ve developed a set of firewall rules grounded in Atomic Security principles. These rules are designed from first principles, aiming to proactively block a broad spectrum of exploits while minimizing the occurrence of false positives.

Atomic Security blocked exploits of Popup builder proactively

Our proactive approach has significantly advanced the state of WordPress security. A testament to our success is our handling of the Popup Builder vulnerability, a major XSS vulnerability actively exploited by attackers. Thanks to our specially designed firewall rules, thousands of WordPress websites were protected against this vulnerability without any need for manual intervention. This showcased our ability to stay ahead of emerging threats and safeguard the WordPress ecosystem effectively.


You may also like

WPMU DEV Review: Features, Pricing and Details
WPMU DEV Review: Features, Pricing and Details

In a world where time is money, you want tools that save you time, giving you room to make more money. When you manage multiple WordPress sites, your task list…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.