A new and worrying vulnerability of WordPress was recently identified and, according to experts, affects thousands and thousands of sites.
This exploit affects the plugin tagDiv Composervery widespread as it is essential compared to two WordPress themes quite widespread, that is Newspaper e Newsmag. These, available on some markets that offer content for the well-known CMS, count overall more than 155,000 downloads.
The vulnerability, classified with the code CVE-2023-3169concerns a defect in the cross-site scripting (XSS). This flaw allows hackers to inject malicious code into the pages of affected sites. The discovery was attributed to the researcher Truoc Phan and, according to industry standards, is considered to have a severity level of 7.1 on a scale of 10.
However, it should be considered that this exploit was partially eliminated with the version 4.1 of tagDiv Composer while, with the 4.2 of the same plugin, has been eliminated completely.
The tagDiv Composer plugin leveraged in the context of Balada campaigns
Despite the aforementioned update, it must be said that many of the potentially victim sites have not yet been updated.
According to a post written by the security researcher Denis Sinegubkothreat actors are exploiting the vulnerability to inject web scripts that redirect visitors to various site scam. The redirects lead to sites promoting elusive technical support, alleged lottery wins, and push notification scams.
Juicesthe security company Sinegubko works for, has been monitoring this type of malware campaign since 2017 and has named it Ballad. Experts estimate that over the past six years this operation has been involved in the compromise of more than 1 million sites.
Last month, Sucuri detected symptoms of Balada in more than 17.000 siti, almost double the number of detections compared to the previous month. Over 9,000 of the new infections were the result of injections made possible through exploitation of the CVE-2023-3169 vulnerability.