Tens of thousands of WordPress (WP) sites have been compromised through a flaw in popular premium themes, with the attackers using the vulnerability to redirect visitors elsewhere.
As reported by BleepingComputer, cybersecurity researchers Sucuri recently discovered that tagDiv Newspaper and tagDiv Newsmag WordPress themes both carried a vulnerable companion tool called tagDiv Composer.
This tool was vulnerable to a cross-site scripting flaw (XSS) tracked as CVE-2023-3169, allowing attackers to remotely send and run PHP code, with some hackers abusing the flaw to deliver the Balada Injector, which redirected visitors to fake tech support pages, fake lottery wins landing pages, and various push notifications scams.
The importance of patching
In total, Sucuri claims, at least 17,000 WordPress websites were compromised in September alone. The entire attack surface counts some 155,000 websites, as those are cumulatively all sites using tagDiv’s vulnerable premium themes (not accounting for pirated copies).
This is not a brand-new flaw, either, first being discovered by Dr. Web in December 2022. The Balada Injector campaign, some researchers believe, has been active since 2017. The company behind the premium themes, tagDiv, was notified of the existence of the flaws months ago and has since released a patch. The problem is that many site owners didn’t apply the fix on time.
“We are aware of these cases. The malware can affect websites using older theme versions,” tagDiv said. “Besides updating the theme, the recommendation is to immediately install a security plugin such as wordfence, and scan the website. Also change all the website passwords.”
The earliest secure version of tagDiv Composer is 4.2.
As a web-builder platform, WordPress is generally considered safe. It’s the plugins, such as these two, that threat actors usually scan for flaws and abuse. That’s why website owners are advised to only install plugins from reputable sources and make sure they’re regularly updated.
Via BleepingComputer