TagDiv Plugin vulnerability used in hacking campaign on WordPress sites

published: Oct. 9, 2023

Take action: If you are using TagDiv Composer or the Newspaper and Newsmag WordPress themes you need to start updating now, as well as checking for Indicators of Compromise


Learn More

Vulnerability affecting a plugin linked to the Newspaper and Newsmag WordPress themes has been exploited to compromise thousands of WordPress websites, as reported by Sucuri security researchers. The ongoing attack has been dubbed the "Balada Injector" campaign.

The vulnerability, tracked as CVE-2023-3169 is present in the TagDiv Composer front-end page builder plugin associated with the Newspaper and Newsmag premium themes, both of which have been sold nearly 140,000 times. The vulnerability allows for stored cross-site scripting (XSS) attacks by an attacker without authentication.

The vulnerability details were disclosed in mid-September, and shortly thereafter, Sucuri began observing attacks exploiting this weakness. These attacks are attributed to the Balada Injector threat group, which typically hijacks websites to redirect visitors to fake tech support, lottery, and other fraudulent sites. Since 2017, it is estimated that over one million WordPress sites have been infected as part of the Balada Injector campaign.

The recent wave of attacks has affected over 17,000 websites by Balada Injector, with 9,000 of them being targeted specifically through the exploitation of the TagDiv plugin vulnerability. The attackers leveraged CVE-2023-3169 to inject malicious code into a specific location within the WordPress database. This ensured that their code would be spread across all public pages of the targeted website.

Once initial access was obtained, the attackers followed a consistent pattern. They uploaded backdoors, installed malicious plugins, and created admin accounts to escalate their privileges and maintain persistent access. The attackers demonstrated an agile approach, continuously modifying their injected scripts, using varied obfuscation methods, employing multiple domains and subdomains, abusing CloudFlare, and implementing various techniques to target administrators of compromised WordPress sites.

Sucuri has documented technical specifics and indicators of compromise (IoCs) in a blog post, aiding in the identification of WordPress websites that may have fallen victim to the Balada Injector campaign.

TagDiv Plugin vulnerability used in hacking campaign on WordPress sites