A recently patched vulnerability affecting a plugin associated with the Newspaper and Newsmag themes has been exploited to hack thousands of WordPress websites as part of a long-running campaign named Balada Injector, GoDaddy-owned web security firm Sucuri warned on Friday.
The exploited vulnerability, tracked as CVE-2023-3169, was discovered by a Vietnamese researcher in the TagDiv Composer front-end page builder plugin of the Newspaper and Newsmag premium themes, which have been sold nearly 140,000 times.
The flaw, patched in recent weeks with the release of TagDiv Composer version 4.2, can be exploited for stored cross-site scripting (XSS) by an unauthenticated attacker.
Details of the vulnerability were disclosed in mid-September and Sucuri started seeing attacks exploiting the flaw shortly after. The cybersecurity firm linked the attacks to the Balada Injector threat group, which has been around for many years.
The threat actor typically hijacks websites in an effort to redirect their visitors to fake tech support, lottery and other scam sites. Sucuri estimated in April that more than one million WordPress sites had been infected as part of the Balada Injector campaign since 2017.
In the recently observed attacks, Sucuri saw over 17,000 websites infected by Balada, including 9,000 related to exploitation of the TagDiv plugin vulnerability.
The hackers exploited CVE-2023-3169 to inject malicious code into a specific location in the WordPress database, ensuring that their code would be propagated to every public page of the targeted website.
Once they gain initial access to a site, the attackers typically upload backdoors, add malicious plugins, and create admin accounts that expand their capabilities and provide them with persistent access.
“We observed a rapid cycle of modifications to their injected scripts alongside new techniques and approaches. We saw randomized injections and obfuscation types, simultaneous use of multiple domains and subdomains, abuse of CloudFlare, and multiple approaches to attack administrators of infected WordPress sites,” Sucuri noted.
The security firm has published a blog post with technical details and indicators of compromise (IoCs) that can be used to determine whether a WordPress website has been targeted in the Balada Injector campaign. Sucuri has also shared recommendations for protecting sites against such attacks.