"Recently Patched TagDiv Plugin Flaw Exploited to Hack Thousands of WordPress Sites"
According to security researchers at Sucuri, a recently patched vulnerability affecting a plugin associated with the Newspaper and Newsmag themes has been exploited to hack thousands of WordPress websites as part of a long-running campaign named Balada Injector. The researchers noted that an exploited vulnerability (CVE-2023-3169) was discovered in the TagDiv Composer front-end page builder plugin of the Newspaper and Newsmag premium themes, which have been sold nearly 140,000 times. The researchers stated that the flaw, patched in recent weeks with the release of TagDiv Composer version 4.2, can be exploited for stored cross-site scripting (XSS) by an unauthenticated attacker. Details of the vulnerability were disclosed in mid-September, and Sucuri started seeing attacks exploiting the flaw shortly after. The researchers linked the attacks to the Balada Injector threat group, which has been around for many years. The researchers noted that the Balada Injector threat group typically hijacks websites in an effort to redirect their visitors to fake tech support, lottery, and other scam sites. The researchers estimated that in April, more than one million WordPress sites had been infected as part of the Balada Injector campaign since 2017. In the recently observed attacks, the researchers saw over 17,000 websites infected by Balada, including 9,000 related to the exploitation of the TagDiv plugin vulnerability. The hackers exploited CVE-2023-3169 to inject malicious code into a specific location in the WordPress database, ensuring their code would be propagated to every public page of the targeted website. Once they gain initial access to a site, the attackers typically upload backdoors, add malicious plugins, and create admin accounts that expand their capabilities and provide them with persistent access.