Thousands of WordPress sites have been hit by another major plugin flaw - find out if you’re at risk

Two premium WordPress plugins vulnerable to high-severity flaw

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Tens of thousands ofWordPress(WP) sites have been compromised through a flaw in popular premium themes, with the attackers using the vulnerability to redirect visitors elsewhere.

As reported by BleepingComputer, cybersecurity researchersSucurirecently discovered that tagDiv Newspaper and tagDiv NewsmagWordPress themesboth carried a vulnerable companion tool called tagDiv Composer.

This tool was vulnerable to a cross-site scripting flaw (XSS) tracked as CVE-2023-3169, allowing attackers to remotely send and run PHP code, with some hackers abusing the flaw to deliver the Balada Injector, which redirected visitors to fake tech support pages, fake lottery wins landing pages, and various push notifications scams.

The importance of patching

In total, Sucuri claims, at least 17,000 WordPress websites were compromised in September alone. The entire attack surface counts some 155,000 websites, as those are cumulatively all sites using tagDiv’s vulnerable premium themes (not accounting for pirated copies).

This is not a brand-new flaw, either, first being discovered by Dr. Web in December 2022. The Balada Injector campaign, some researchers believe, has been active since 2017. The company behind the premium themes, tagDiv, was notified of the existence of the flaws months ago and has since released a patch. The problem is that many site owners didn’t apply the fix on time.

“We are aware of these cases. The malware can affect websites using older theme versions,” tagDiv said. “Besides updating the theme, the recommendation is to immediately install a security plugin such as wordfence, and scan the website. Also change all the website passwords.”

The earliest secure version of tagDiv Composer is 4.2.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

As aweb-builder platform, WordPress is generally considered safe. It’s the plugins, such as these two, that threat actors usually scan for flaws and abuse. That’s why website owners are advised to only install plugins from reputable sources and make sure they’re regularly updated.

ViaBleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Nokia confirms data breach leaked third-party code, but its data is safe

Rising AI threats are making firms turn back to human intelligence

3 reasons why PIA fell in our best VPN rankings