Thousands of WordPress sites have been hit by another major plugin flaw - find out if you're at risk

News
By
published

Two premium WordPress plugins vulnerable to high-severity flaw

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Tens of thousands of WordPress (WP) sites have been compromised through a flaw in popular premium themes, with the attackers using the vulnerability to redirect visitors elsewhere.

As reported by BleepingComputer, cybersecurity researchers Sucuri recently discovered that tagDiv Newspaper and tagDiv Newsmag WordPress themes both carried a vulnerable companion tool called tagDiv Composer. 

This tool was vulnerable to a cross-site scripting flaw (XSS) tracked as CVE-2023-3169, allowing attackers to remotely send and run PHP code, with some hackers abusing the flaw to deliver the Balada Injector, which redirected visitors to fake tech support pages, fake lottery wins landing pages, and various push notifications scams.

The importance of patching

In total, Sucuri claims, at least 17,000 WordPress websites were compromised in September alone. The entire attack surface counts some 155,000 websites, as those are cumulatively all sites using tagDiv’s vulnerable premium themes (not accounting for pirated copies).

This is not a brand-new flaw, either, first being discovered by Dr. Web in December 2022. The Balada Injector campaign, some researchers believe, has been active since 2017. The company behind the premium themes, tagDiv, was notified of the existence of the flaws months ago and has since released a patch. The problem is that many site owners didn’t apply the fix on time. 

"We are aware of these cases. The malware can affect websites using older theme versions," tagDiv said. "Besides updating the theme, the recommendation is to immediately install a security plugin such as wordfence, and scan the website. Also change all the website passwords."

The earliest secure version of tagDiv Composer is 4.2.

As a web-builder platform, WordPress is generally considered safe. It’s the plugins, such as these two, that threat actors usually scan for flaws and abuse. That’s why website owners are advised to only install plugins from reputable sources and make sure they’re regularly updated.

Via BleepingComputer

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Thousands of WordPress websites hit in new malware attack, here's what we know
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Top WordPress plugins found to have some serious security flaws, so make sure you're protected
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Over 10,000 WordPress sites found showing fake Google browser update pages to spread malware
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)
Another major WordPress plugin has been hacked to try and hijack your sites
WordPress
WordPress users beware - these popular theme plugins have some major security issues
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Microsoft
Microsoft names cybercriminals who created explicit deepfakes
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
More reports claim 2024 was the worst year for ransomware attacks yet
Latest in News
Apple iPad A16
Apple's new entry-level iPad ups the performance for the same price, but doesn't support Apple Intelligence
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Samsung Galaxy Z Flip 6 in blue
The Samsung Galaxy Z Flip 7 might improve on its predecessor in one crucial way
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
More about security
A pair of hands using a keyboard

Microsoft SharePoint hijacked to spread Havoc malware
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.

US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Yasuke rides out, looking over a vibrant forest. A castle can be seen in the background.

Assassin's Creed Shadows requirements for PC and Mac guide
See more latest