CVE-2023-6000 Overview
CVE-2023-6000 is a stored cross-site scripting (XSS) vulnerability in the Popup Builder WordPress plugin developed by Sygnoos. The flaw affects all versions before 4.2.3 and stems from missing access controls on popup update operations. Unauthenticated visitors can modify existing popups and inject arbitrary JavaScript into them. When administrators or site visitors load an affected page, the injected payload executes in their browser context. The vulnerability is tracked under CWE-79 and carries an EPSS probability of 69.124%, placing it in the 98.663 percentile for likelihood of exploitation.
Critical Impact
Unauthenticated attackers can inject persistent JavaScript into popups, enabling session theft, administrator account takeover, and arbitrary actions performed in the context of authenticated WordPress users.
Affected Products
- Sygnoos Popup Builder plugin for WordPress, all versions prior to 4.2.3
- WordPress sites with the Popup Builder plugin installed and active
- Any WordPress administrator or visitor session loading a compromised popup
Discovery Timeline
- 2024-01-01 - CVE-2023-6000 published to the National Vulnerability Database
- 2025-06-18 - Last updated in NVD database
Technical Details for CVE-2023-6000
Vulnerability Analysis
The Popup Builder plugin exposes functionality that allows updates to existing popup objects without verifying that the requester holds appropriate privileges. The plugin treats any visitor — including unauthenticated users — as authorized to submit popup update requests. Combined with insufficient sanitization of popup content fields, this allows attackers to write raw JavaScript directly into popup markup stored in the WordPress database.
Because the payload is stored server-side and rendered to every visitor who triggers the popup, exploitation produces persistent XSS rather than reflected XSS. A single successful request can compromise every subsequent visitor session, including authenticated administrators. According to the WPScan vulnerability report, the issue was remediated in version 4.2.3.
Root Cause
The plugin's popup update handler lacks a capability check and a nonce verification step. It also fails to filter HTML and JavaScript from popup content fields before persisting them. This combination of broken access control and missing output encoding produces the stored XSS condition described in [CWE-79].
Attack Vector
An attacker sends a crafted HTTP request to the vulnerable plugin endpoint, supplying the target popup identifier and a JavaScript payload as the popup body. No authentication, cookies, or user interaction beyond a standard browser visit is required to write the payload. When a victim — typically an administrator viewing the site or the popup editor — loads the affected popup, the browser executes the attacker-controlled script. See the WPScan blog post for additional technical detail on the exploitation flow.
Detection Methods for CVE-2023-6000
Indicators of Compromise
- Unexpected <script> tags, event handlers, or obfuscated JavaScript stored in wp_postmeta rows associated with the popupbuilder post type
- Outbound HTTP requests from administrator browsers to unfamiliar domains immediately after loading the WordPress admin dashboard
- New administrator accounts, modified user roles, or unexpected plugin installations following popup edits from unauthenticated sources
Detection Strategies
- Audit WordPress database tables for popup records containing <script, onerror=, onload=, or javascript: substrings
- Review web server access logs for POST requests to Popup Builder AJAX endpoints originating from unauthenticated sessions
- Compare installed Popup Builder version against the fixed release 4.2.3 using wp plugin list or the plugins admin page
Monitoring Recommendations
- Enable WordPress audit logging to capture popup create and update events with originating IP and authentication state
- Monitor outbound network traffic from administrator workstations for connections to known credential-exfiltration domains
- Alert on changes to WordPress user roles, especially privilege elevations to administrator, occurring shortly after popup modifications
How to Mitigate CVE-2023-6000
Immediate Actions Required
- Upgrade the Popup Builder plugin to version 4.2.3 or later on every WordPress instance where it is installed
- Inspect all existing popups for injected JavaScript and remove or restore them from a known-good backup
- Rotate WordPress administrator passwords and invalidate active sessions if injection is suspected
Patch Information
Sygnoos released Popup Builder 4.2.3, which adds authorization and nonce checks to popup update handlers and sanitizes popup content fields. Site operators should apply the update through the WordPress plugins admin page or via WP-CLI. Refer to the WPScan advisory for confirmation of the fixed version.
Workarounds
- Deactivate the Popup Builder plugin until the upgrade to 4.2.3 or later can be completed
- Place a web application firewall rule in front of the site to block requests to Popup Builder update endpoints from unauthenticated sources
- Restrict access to /wp-admin/admin-ajax.php by IP allowlist where operationally feasible
# Configuration example - upgrade Popup Builder via WP-CLI
wp plugin update popup-builder --version=4.2.3
wp plugin list --name=popup-builder --fields=name,status,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
