Security News > 2023 > October > Over 17,000 WordPress sites hacked in Balada Injector attacks last month
Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins.
Balada Injector is a massive operation discovered in December 2022 by Dr. Web, which has been leveraging various exploits for known WordPress plugin and theme flaws to inject a Linux backdoor.
In April 2023, Sucuri reported that Balada Injector has been active since 2017 and estimated that it had compromised nearly one million WordPress sites.
These attacks align with a campaign shared with BleepingComputer in late September when admins reported on Reddit that numerous WordPress sites were infected with a malicious plugin called wp-zexit.
In general, Sucuri says it detected Balada Injector on over 17,000 WordPress sites in September 2023, with more than half achieved by exploiting CVE-2023-3169.
Sucuri's free-to-access scanner detects most Balada Injector variants, so you may want to use it to scan your WordPress install for compromise.
News URL
Related news
- Over 4,000 Adobe Commerce, Magento shops hacked in CosmicSting attacks (source)
- WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks (source)
- Over 6,000 WordPress hacked to install plugins pushing infostealers (source)
- LottieFiles hacked in supply chain attack to steal users’ crypto (source)
- Warning: Over 2,000 Palo Alto Networks Devices Hacked in Ongoing Attack Campaign (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-11 | CVE-2023-3169 | Unspecified vulnerability in Tagdiv Composer The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks. | 6.1 |