WordPress plugin vulnerability enables hackers to inject malware into nearly 100,000 websites

Buzz

Ngày cập nhật gần nhất: 15/4/2026

The vulnerabilities in Popup Builder WordPress plugin could allow hackers to inject JavaScript code into pop-up windows displayed on tens of thousands of websites, enabling information theft and potential complete takeover of targeted websites.

With Popup Builder, website owners can create, deploy, and manage customizable pop-up windows. These pop-ups can contain various content, from HTML and JavaScript code to images and videos.

WordPress security loophole permits hackers to attack 100,000 websites

The author of this plugin, Sygnoos, has advertised it as a tool that can boost revenue through pop-up windows, used for displaying ads, registration requests, discounts, and various other advertising content.

Vulnerabilities for Information Disclosure and XSS Attacks

The security vulnerabilities discovered by Defiant QA Engineer Ram Gall affect all versions and include Popup Builder 3.63.

Gall stated: 'One vulnerability allows attackers to inject malicious JavaScript into any public-facing pop-up window. The malicious code will then execute whenever the pop-up window is loaded. Typically, attackers use such vulnerabilities to redirect visitors to malicious advertising websites or steal sensitive information from their browsers, although it could also be used to take over the website if an administrator accesses or previews a page containing an infected pop-up window while logged in.'

Another flaw allows any logged-in user with access to plugin features to export mailing list subscribers and system configuration information with a simple POST request to admin-post.php.

The vulnerability has been patched, but tens of thousands are still under attack

The tracked vulnerabilities are CVE-2020-10196 and CVE-2020-10195, allowing for Stored XSS attacks, configuration disclosure, user data export, and website settings modification.

Sygnoos addressed the security incident by releasing Popup Builder 3.64.1 a week after Defiant reported the issue.

Frequently Asked Questions

What security vulnerabilities exist in the Popup Builder WordPress plugin?

The Popup Builder WordPress plugin has serious vulnerabilities that allow hackers to inject JavaScript code into pop-up windows. This can lead to information theft or complete takeover of targeted websites, affecting tens of thousands of sites.

How could hackers exploit the Popup Builder vulnerabilities?

Hackers could exploit these vulnerabilities by injecting malicious JavaScript into pop-ups, which can redirect visitors to harmful websites or steal sensitive information. If an administrator accesses an infected pop-up, the site could be taken over.

What actions were taken to fix the vulnerabilities in Popup Builder?

Sygnoos, the plugin's author, addressed the security vulnerabilities by releasing Popup Builder version 3.64.1 shortly after they were reported by Defiant. This patch aims to protect affected websites from exploitation.

Is the Popup Builder plugin still vulnerable after the patch was released?

No, the vulnerabilities have been patched in the latest version of Popup Builder. However, tens of thousands of websites may still be vulnerable if they have not yet updated to version 3.64.1.

What types of content can be displayed using the Popup Builder plugin?

The Popup Builder plugin allows website owners to create customizable pop-up windows containing various content types, including HTML, JavaScript, images, videos, ads, registration requests, and discount offers.

Mytour's content is for customer care and travel encouragement only, and we are not responsible.

For errors or inappropriate content, please contact us at: [email protected]