• A vulnerability in tagDiv Composer could see malicious attackers taking control of a website.
• The vulnerability has reportedly been fixed in version 4.2 of the plugin.
• The vulnerability is the latest exploit leveraged by the so-called Balada malware group.

Web developers that work with WordPress themes Newspaper and Newsmag should take note of a vulnerability that has thankfully already been patched.

The vulnerability which was christened CVE-2023-3169 affects the tagDiv Composer plugin for WordPress. This plugin is a key component of the aforementioned themes which have been purchased by almost 160 000 developers.

“The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks,” reads a post on NIST’s National Vulnerability database.

By leveraging this vulnerability, a bad actor could inject malicious code into a website. According to Ars Technica this vulnerability is the product of a malware campaign called Balada which has been operating since 2017. According to Sucuri, the firm tracking the campaign, the last attack impacted as many as 40 000 users.

This latest vulnerability could see Balada executing more attacks using the compromised websites, including sending users to scams and malicious domains.

The vulnerability carries a severity rating of 6.1 out of a possible 10 which ranks it as medium. However, developers should update the plugin to version 4.2 as soon as possible. The problem was partially fixed in version 4.1 but you really should update to the latest version.

For those who can’t update their plugins for any reason Sucuri has detailed mitigation measures here.

For those interested, you can find a proof of concept of the vulnerability here.