Thousands of WordPress Sites Hacked Due to Exploited TagDiv Plugin Vulnerability

Report on Recently Exploited TagDiv Plugin Flaw in WordPress Sites

Introduction

A recently patched vulnerability in the TagDiv Composer plugin, which is associated with the Newspaper and Newsmag themes, has been exploited by hackers to compromise thousands of WordPress websites. The vulnerability, named CVE-2023-3169, allows for stored cross-site scripting (XSS) attacks by unauthenticated attackers. The vulnerability was discovered by a Vietnamese researcher and has been patched with the release of TagDiv Composer version 4.2. The attacks have been linked to the Balada Injector threat group, which has been active for several years and primarily targets websites to redirect their visitors to scam sites.

Attack Details

Sucuri, a web security firm owned by GoDaddy, has reported that over 17,000 websites have been infected by the Balada Injector campaign, with 9,000 of them being related to the exploitation of the TagDiv plugin vulnerability. Once the attackers gain access to a site, they carry out various malicious activities, including uploading backdoors, adding malicious plugins, and creating admin accounts to maintain persistence and expand their capabilities. They have been observed employing a range of techniques, such as randomized injections, obfuscation types, multiple domain and subdomain abuse, and attacks on administrators.

Balada Injector Campaign and Impact

The Balada Injector campaign has been active since 2017 and has infected over one million WordPress sites according to estimates made by Sucuri in April. The primary goal of the campaign is to redirect website visitors to fake tech support, lottery, and other scam sites. The recent exploitation of the TagDiv plugin vulnerability has significantly contributed to the number of compromised sites.

Security Recommendations

Sucuri has published a blog post containing technical details and indicators of compromise (IoCs) that can help website owners determine if their WordPress site has been targeted by the Balada Injector campaign. Additionally, they have shared recommendations to protect sites against such attacks. These include:

1. Promptly update all WordPress plugins and themes to their latest versions.
2. Implement a web application firewall (WAF) to filter out malicious traffic and detect any potential security breaches.
3. Regularly monitor website activity using security plugins and services.
4. Remove unnecessary or unused plugins and themes to reduce the attack surface.
5. Set up strong and unique admin credentials, including complex passwords and two-factor authentication.

Editorial Commentary

The recent exploitation of the TagDiv plugin vulnerability highlights the ongoing threat posed by hackers to WordPress sites. As one of the most popular content management systems (CMS) on the internet, WordPress is frequently targeted by malicious actors seeking to exploit vulnerabilities in plugins and themes. The Balada Injector campaign, in particular, demonstrates the sophistication and persistence of these threat groups.

Website owners must remain vigilant and proactive in securing their WordPress sites. Regular updates and patching of plugins and themes are crucial to address any known vulnerabilities. Additionally, implementing security measures such as web application firewalls and strong authentication can provide an additional layer of defense.

However, it is important to note that security measures alone are not sufficient to address the underlying issues. The prevalence of such attacks highlights the need for better code and plugin development practices. Developers should prioritize security during the entire software development lifecycle and rigorously test their code for vulnerabilities. Website owners and administrators must also exercise caution when choosing and installing plugins, ensuring that they come from reputable sources and have a track record of regular updates and support.

Taking these measures collectively can help mitigate the risk of future attacks and protect the integrity and security of WordPress websites.

Conclusion

The recent exploitation of the TagDiv plugin vulnerability in WordPress sites by the Balada Injector campaign underscores the need for heightened security measures. Website owners should prioritize regular updates, employ security solutions such as web application firewalls, and practice good authentication practices. Additionally, developers must improve code quality and prioritize security in order to address the root causes of these vulnerabilities. By taking these steps, both website owners and developers can contribute to a safer online ecosystem.