Vietnamese cybersecurity expert Truoc Phan discovered Vulnerability in the tagDiv Composer plugin for CMS WordPress. The vulnerability was assigned the number CVE-2023-3169 and its exploitation allowed malicious code to be placed on more than 9,000 websites.
The tagDiv Composer plugin is a must for installing the Newspaper and Newsmag themes for WprdPress – they are sold on the popular websites Theme Forest and Envato and have been downloaded more than 155,000 times. The XSS vulnerability CVE-2023-3169 allows attackers to inject malicious code into websites. It received a rating of 7.1 out of 10. The developers of tagDiv Composer partially closed it with the release of plugin version 4.1 and in version 4.2 it was completely removed.
In practice, attackers exploit this vulnerability to inject scripts that redirect users to other websites with a simulated technical support interface, messages about a lottery win, and calls to subscribe to dubious push notifications. The tagDiv Composer plugin vulnerability attacks are part of a larger Balada malware campaign being monitored by the company’s cybersecurity experts Sucuri since 2017. In the last six years, more than a million websites have been hacked as part of the Balada campaign; In September alone, more than 17,000 incidents were registered and malicious code was published on more than 9,000 websites due to the CVE-2023-3169 vulnerability.
The aim of the Balada attack is to gain control of a compromised website. The most common method is to inject malicious code to create an account with administrative privileges. Real administrators who discover such a hack are advised to completely destroy all signs of malicious activity: most often these are malicious code and new accounts with administrative rights in the user list. If you remove only the malicious code but leave an illegitimate administrator on the site, the malicious code will return in a new form. Now it is especially recommended to check owners of WordPress sites with the “Newspaper” and “Newsmag” themes installed for signs of hacker attacks.