We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Balada Injector Compromises Over 17,000 WordPress Sites

Balada Injector Compromises Over 17,000 WordPress Sites
Author Image Keira Waddell
Keira Waddell Published on 13th October 2023 Former Senior Writer

More than 17,000 WordPress websites have fallen victim to the Balada Injector malware. The latest campaign, which occurred in September, specifically targeted popular premium themes, namely tagDiv Newspaper and tagDiv Newsmag.

The attacks primarily centered on a vulnerability within the tagDiv Composer, tracked as CVE-2023-3169, allowing remote execution of PHP code. Malicious actors took advantage of this loophole to distribute the Balada Injector malware, leading to substantial disruption across compromised websites.

The Balada Injector operation focused on redirecting unsuspecting website visitors to deceptive tech support pages and fraudulent lottery win pages. Various push notification scams were also used.

The scale of the attack is particularly concerning. Cybersecurity researcher Sucuri estimates that the number of compromised WordPress websites in September alone exceeded 17,000. The potential target pool was even larger, comprising approximately 155,000 websites using the tagDiv Newspaper and tagDiv Newsmag premium themes. This number does not include websites who have pirated these themes.

Contrary to initial assumptions, the Balada Injector campaign is not a recent phenomenon. Dr. Web first identified its presence in December 2022, with some experts suggesting its existence as early as 2017. However, despite being alerted to these vulnerabilities several months ago and releasing a patch, tagDiv faced challenges as users failed to update the themes on time.

To mitigate the risks, tagDiv recommends an immediate upgrade to the earliest secure version of tagDiv Composer, specifically version 4.2. Additionally, the installation of a reliable security plugin like Wordfence, coupled with a comprehensive website scan, is imperative. Resetting all website passwords is advised as a further precautionary step. These actions collectively serve as a robust defense mechanism against potential breaches.

This incident serves as a reminder that while the core framework of WordPress is generally deemed secure, the susceptibility primarily lies within plugins and themes, as evidenced by the vulnerability in the tagDiv offerings.

Consequently, website administrators are strongly encouraged to exercise caution by exclusively sourcing plugins from reputable developers and regularly updating them to mitigate potential security risks.

About the Author

Keira was a senior writer at vpnMentor. She is an experienced cybersecurity and tech writer dedicated to providing comprehensive insights on VPNs, online privacy, and internet censorship.

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address