Balada Injector Targets Unpatched tagDiv Plugin, Newspaper Theme & WordPress Admins
In the middle of September 2023, vulnerability advisory resources disclosed the details of an Unauthenticated Stored XSS vulnerability in the tagDiv Composer (the companion plugin for the popular tagDiv premium themes Newspaper and Newsmag). Shortly after that, we started noticing new waves of Balada malware injections on websites that were actively using tagDiv themes.
This is not the first time that the Balada Injector gang has targeted vulnerabilities in tagDiv’s premium themes. One of the earliest massive malware injections that we could attribute to this campaign took place during the summer of 2017, where disclosed security bugs in Newspaper and Newsmag WordPress themes were actively abused.