Security News > 2023 > October > Over 17,000 WordPress sites hacked in Balada Injector attacks last month
Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins.
Balada Injector is a massive operation discovered in December 2022 by Dr. Web, which has been leveraging various exploits for known WordPress plugin and theme flaws to inject a Linux backdoor.
In April 2023, Sucuri reported that Balada Injector has been active since 2017 and estimated that it had compromised nearly one million WordPress sites.
These attacks align with a campaign shared with BleepingComputer in late September when admins reported on Reddit that numerous WordPress sites were infected with a malicious plugin called wp-zexit.
In general, Sucuri says it detected Balada Injector on over 17,000 WordPress sites in September 2023, with more than half achieved by exploiting CVE-2023-3169.
Sucuri's free-to-access scanner detects most Balada Injector variants, so you may want to use it to scan your WordPress install for compromise.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-09-11 | CVE-2023-3169 | Unspecified vulnerability in Tagdiv Composer The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks. | 6.1 |