Tens of thousands of WordPress (WP) sites have been compromised by a flaw in popular premium themes, with attackers using the vulnerability to redirect visitors elsewhere.
As reported by BleepingComputer, cybersecurity researchers Sucuri recently discovered that tagDiv Newspaper and tagDiv Newsmag WordPress themes both contain a vulnerable companion tool called tagDiv Composer.
This tool was vulnerable to a cross-site scripting (XSS) flaw, tracked as CVE-2023-3169, which allowed remote attackers to submit and execute PHP code, with some hackers exploiting the flaw to deliver the Balada Injector, which redirected visitors to fake technology support pages, landing pages for fake lottery winnings, and various push notification scams.
The importance of patching
In total, at least 17,000 WordPress websites were hacked in September alone, according to Sucuri. The entire attack surface includes around 155,000 websites, as cumulatively these are all sites using tagDiv’s vulnerable premium themes (not counting pirated copies).
This isn’t an entirely new error either, first discovered by Dr. Web in December 2022. The Balada Injector campaign has been active since 2017, according to some researchers. The company behind the premium themes, tagDiv, was alerted to the existence of the flaws months ago and has since released a patch. The problem is that many site owners did not implement the solution in time.
“We are aware of these cases. The malware may affect websites using older theme versions,” said tagDiv. “In addition to updating the theme, it is advisable to immediately install a security plugin such as Wordfence and scan the website. Also change all website passwords.”
The earliest safe version of tagDiv Composer is 4.2.
As a web builder platform, WordPress is generally considered safe. It is the plugins, such as these two, that cybercriminals typically scan for errors and misuse. Therefore, website owners are advised to only install plugins from reputable sources and ensure that they are updated regularly.
Through BleepingComputer