Balada Injector

Balada Injector: Patched WordPress Plugin Flaw

3 Mins Read

PureVPNNewsBalada Injector: Patched WordPress Plugin Flaw

A recently addressed vulnerability impacting a plugin associated with the Newspaper and Newsmag themes has been exploited to compromise numerous WordPress websites as part of a campaign known as Balada Injector. 

Sucuri, a web security company owned by GoDaddy, warned about this development.

Details about the Vulnerability

The vulnerability in question, CVE-2023-3169, was initially identified by a Vietnamese researcher in the TagDiv Composer front-end page builder plugin integrated with the Newspaper and Newsmag premium themes. 

The security flaw, rectified in recent weeks through the release of TagDiv Composer version 4.2, can be leveraged for stored cross-site scripting (XSS) attacks by unauthorized individuals.

Information regarding this vulnerability was disclosed in mid-September, and shortly thereafter, Sucuri detected instances of exploitation. 

The cybersecurity firm attributed these attacks to the Balada Injector threat group, which has been operational for a considerable period.

Modus Operandi – Balada Injector

Typically, the Balada Injector threat actor hijacks websites to redirect visitors to counterfeit tech support, lottery, and other fraudulent websites. 

As of April, Sucuri estimated that over one million WordPress sites had fallen victim to the Balada Injector campaign since its inception in 2017.

https://x.com/MalwareHuntress/status/1710535443979153838?s=20

In the recent wave of attacks observed, Sucuri identified more than 17,000 websites compromised by Balada, with approximately 9,000 of these incidents related to exploiting the TagDiv plugin vulnerability.

Exploiting CVE-2023-3169 allowed the hackers to inject malicious code into a specific location within the WordPress database, ensuring their code propagated to every public page of the targeted website.

Upon gaining initial access to a site, the attackers typically upload backdoors, install malicious plugins, and establish persistent access.

Other Observations 

Sucuri’s observations revealed a swift cycle of alterations to their injected scripts, incorporating novel techniques and tactics. These included 

  • randomized injections, 
  • obfuscation methods, 
  • the concurrent use of multiple domains and subdomains, 
  • misuse of CloudFlare, and 
  • varied approaches to target administrators of compromised WordPress sites.

Protect Earlier – Don’t repent!

Securing your WordPress website against various threats, such as plugin and theme vulnerabilities, requires a proactive approach. 

Start by ensuring that all software components, including plugins and themes, are regularly updated to patch known vulnerabilities. 

Remove any unused plugins and themes to minimize potential attack vectors. Employ a web application firewall (WAF) to add an additional protection layer, helping filter out malicious traffic and requests.

To thwart brute-force attacks targeting WordPress admin credentials, employ strong and unique passwords for all accounts, including the admin account. Implement two-factor authentication (2FA) for added security. 

Restrict admin privileges only to users who genuinely require them. Also, consider using a WAF to help mitigate these types of attacks. Regularly change your WordPress admin passwords, especially if a compromise is suspected.

By updating all themes and plugins, guard against stealing database credentials from the wp-config.php file. Avoid renaming wp-config.php files that contain valid credentials for testing purposes. 

Store copies of this file outside public directories or locally, preferably encrypted. 

Conduct a thorough cleanup of both JavaScript and PHP malware in the case of backdoors. Ensure that all Balada Injector backdoors are eliminated. Implement file integrity control systems to monitor for any unauthorized changes. 

Consider using professional website cleanup services to ensure no remnants of the compromise linger.

Beware of the Balada Injector’s ability to steal FTP credentials from various configuration files. Keep files for your local development environment separate from those on the server. 

Monitor FTP logs for suspicious activity and promptly change FTP passwords if a compromise is suspected.

Balada Injector is known for creating malicious admin users, so monitoring them diligently is essential. Limit administrator permissions to only those requiring them, reducing the attack surface.

Above all, stay vigilant!

author

PureVPN

date

October 10, 2023

time

2 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far
Posted on October 20, 2025
Slack Faces Partial Outage: Users Report Message Delays and Loading Issues

Slack Faces Partial Outage: Users Report Message Delays and Loading Issues
Posted on October 20, 2025
Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025

Have Your Say!!