Security News > 2023 > October > Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023

Over 17,000 WordPress Sites Compromised by Balada Injector in September 2023
2023-10-11 12:41

More than 17,000 WordPress websites have been compromised in the month of September 2023 with malware known as Balada Injector, nearly twice the number of detections in August. Of these, 9,000 of the websites are said to have been infiltrated using a recently disclosed security flaw in the tagDiv Composer plugin (CVE-2023-3169, CVSS score: 6.1) that could be exploited by unauthenticated users to


News URL

https://thehackernews.com/2023/10/over-17000-wordpress-sites-compromised.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-09-11 CVE-2023-3169 Unspecified vulnerability in Tagdiv Composer
The tagDiv Composer WordPress plugin before 4.2, used as a companion by the Newspaper and Newsmag themes from tagDiv, does not have authorisation in a REST route and does not validate as well as escape some parameters when outputting them back, which could allow unauthenticated users to perform Stored Cross-Site Scripting attacks.
network
low complexity
tagdiv
6.1
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 7 2 95 44 18 159