Support » Plugin: Popup Builder - Responsive WordPress Pop up - Subscription & Newsletter » Popup Builder REMOVING(!) GDPR cookie consent plugin – suspicious source code

  • Resolved bambambam


    In the last few days I installed the latest version (3.65.1) of your plugin on several (5) websites (we are web developers).

    Although the reported vulnerabilities of your plugin (see e.g.: should be solved with upgrading the plugin to version 3.65 or even 3.64.1, I noticed that in 4 of 5 websites the GDPR Cookie Consent that has been installed in each of these websites has DISAPPEARED (also if I check with FTP!), there is no GDPR Cookie Consent plugin in the wp-content/plugins folder any more!

    I also noticed, that after installation of Popup Builder and activation of a popup, in in the HTML source code of ALL websites I noticed a sequence which looks very suspicious (see below). Countless repitions of “ICAgICAgICAg”….

    Why did your plugin remove my Cookie Consent plugins?????
    Can the plugin really be trusted in the newer versions?

    in the HTML Source code of ALL of the websites I found:

    [ Deleted, do not post malware code in these forums ]

    • This topic was modified 9 months, 3 weeks ago by Jan Dembowski.

    The page I need help with: [log in to see the link]

Viewing 13 replies - 1 through 13 (of 13 total)
  • Moderator Jan Dembowski


    Forum Moderator and Brute Squad

    I’m sorry you’ve been hacked but please do not post malware code on this site again. Doing that does not help you or anyone.

    Please remain calm and give this a good read. You need to delouse your site and this can help you do that.

    When you have successfully deloused your site then consider giving this a read too.

    Dear Sir,
    I am not very pleased with your answer, but maybe I didn’t explain clearly enough what happened.
    The issues (Cookie Plugin DELETED, malware code in HTML source files) happened only after FRESHLY installing YOUR PLUGIN in the reportedly BUGFREE versions 3.64.1 or 3.65 and 3.65.1.
    We did not use your plugin before. Since it is very well rated, I was not prepared for problems with Plugin Builder.
    Many of our customers needed popups in the last week because of the corona crisis, so we used your plugin for the first time on several websites.
    If you read the html code I sent you, you will have noticed that the malware is placed between calls to popup builder javascript files. Exactly the same on all 5 websites.
    Plus: If I disable your popup, the malware code disappears from the html source.
    SOOOOO I suppose your plugin has something to do with it and contains bugs also in the newest versions.
    The issues happen ONLY in these few websites where we (freshly) installed the officially patched versions of your plugin (3.64.1 or 3.65 and 3.65.1.)
    Again I point out – we did not use the “officially” bugged versions of your plugin before, only the reportedly patched versions.

    I just talked to another webdesigner/programmer I know and he found the same issues on one of his websites, where he also used your plugin for the first time a few days ago.

    I think all this sounds very alarming and you should find out what happens – if you care about your customers. Maybe you should just check it out…. 😉

    Looking forward to a more adequate answer,
    Martina Bartik

    My webdesigner/programmer collegue also found 2 of “his” websites infected – same setting, he used your plugin for the first time a few days ago to implement “corona”-popups for his customers.

    he also ONLY used the newest versions of your plugin and NEVER before any old versions, he also used it for the first time

    Moderator Jan Dembowski


    Forum Moderator and Brute Squad

    I think we got off on the wrong foot. I’ll explain.

    See the title next to my name? This is not my plugin so please don’t reply to me with “your plugin” I have nothing to do with this or any plugin or theme. You got my attention when you twice posted malware on this site. I archived your other reply.

    I’m a forum moderator and you are a free user of an open source plugin. You are not a customer of this plugin author here. There are no customers or companies on this entire site. The plugin author doesn’t owe you an answer or even a reply. Though it is nice when they do.

    Your site was hacked. It may be due to this plugin or it may not. In any case, your site needs to be deloused as it was compromised. What happened to the other plugin really is incidental here. You need your site to be cleaned and that link I provided will help you accomplish that.

    Thank you for your answer.
    I am sorry, I barked up the wrong tree obviously.

    I’ll try again to reach the developers of the plugin “popup builder”, I am very sure the plugin is the culprit, it was infecting 9 websites I know of, and they really have to evaluate the new versions of the plugin (who were reported bug-free after major issues in the versions before).

    That’s why I got a bit angry about the relaxed answer, mistaking you for a developer.

    Please tell me: Should I post once again in this forum and open another thread to reach the developers?

    Of course I won’t post the html source code including the malware again, thanks for the information.

    Thank you and good evening,

    Moderator Steven Stern (sterndata)


    Forum Moderator & Support Team Volunteer

    There’s really no point in posting the malware. You need to clean your site.

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Dear Steve Stern,
    I will of course have to clean ALL the hacked sites – it’s not only one, as I wrote, but 5 sites of my customers and 4 of my colleague, another web designer.

    It’s obvious that the plugin popup builder is the culprit – in the newest version 3.65.1. as I must point out – and the plugin has never before installed in a lower version.

    Please, der Steve Stern, inform the developers of the plugin “Popup Builder”, I think it is important for them to know about this serious bug.
    If you cannot do that, please tell me how to reach the developers.

    Thank you.
    Martina Bartik

    Plugin Support Sygoos Support Team


    Hi @bambambam,

    Thank you for contacting us.
    Thank you for contacting us.
    We are sorry for the late response and don’t worry we do our best to assist all our users.
    As for your inquiry, we did have an issue that as resolved after a few hours. We have updated the version of our plugin after that and made it more secure and reliable.
    Our team is apologizing and we hoping that our customers can be understanding due to the circumstances.
    Moreover, please send the code to us (via email: so that we can check it as it will be better if it is not written in this forum.
    Also, I will need to mention that we have those reviews because we try to deliver a great service for our users and pay attention to every detail.

    Thank you for your information and apologies, glad to hear you found the vulnerability in the plugin versions 3.64.1, 3.65 and 3.65.1., and that the bug is fixed.

    In the meantime I have deleted your plugin on “my” 5 websites and used other plugins instead, some hours’ work…
    It seems to me, though, that with deinstalling the popup builder plugin the problem might be solved.

    Can you give me more information about what the “issue” did? So that I know what has to be done to clean the websites? I really don’t want to take 5 websites offline…

    I send you the HTML source code in an email, for analytical purposes.

    Thank you for the otherwise very nice plugin – just make sure to test the new version rigidly, to avoid further issues 😉

    @bambambam Per Wordfence:

    “…an unauthenticated attacker could send a POST request to wp-admin/admin-ajax.php with an array parameter, ‘allPopupData’, containing a number of key-value pairs including a popup’s ID (visible in the page source) and a malicious JavaScript payload, which would then be saved in that popup’s settings and executed whenever a visitor navigated to a page where the popup was displayed.”

    So basically they just had to browse your website, notate the popup ID on pages that it was active, and submit a crafted POST with their desired Javascript payload.

    Thank you!
    I am in email contact with your collegue Nana for Details.

    Important for developers -so I point it out once again: The deletion of the GDPR Cookie Consent plugin happened when the latest version 3.65.1 of popup builder was used in a fresh install, on at least 3 websites (on other websites where this happened versions 3.65 and 3.64.1 were in use).

    Plugin Support Sygoos Support Team


    Hi @bambambam,

    Thank you for contacting us via email.
    I will now mark this conversation as resolved.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘Popup Builder REMOVING(!) GDPR cookie consent plugin – suspicious source code’ is closed to new replies.