Thousands of WordPress sites have been hacked through tagDiv plugin vulnerability

Enlarge (credit: Getty Images)

Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.

The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads.

Tracked as CVE-2023-3169, the vulnerability is what’s known as a cross-site scripting (XSS) flaw that allows hackers to inject malicious code into webpages. Discovered by Vietnamese researcher Truoc Phan, the vulnerability carries a severity rating of 7.1 out of a possible 10. It was partially fixed in tagDiv Composer version 4.1 and fully patched in 4.2.

Read 8 remaining paragraphs | Comments

Author: Dan Goodin. [Source Link (*), Ars Technica – All content]

Shop with us!