ClickCease The Balada Injector WordPress Compromise

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

The Balada Injector WordPress Compromise

Wajahat Raja

October 23, 2023 - TuxCare expert team

In the ever-evolving world of cybersecurity, vigilance is crucial to safeguarding your website. A recent threat known as Balada Injector has cast a dark shadow over WordPress, compromising more than 17,000 websites in the past month. This blog post will delve into the details of the Balada Injector WordPress compromise, its implications, and, most importantly, how to protect your WordPress site from this menacing threat. 

Balada Injector WordPress Compromise: An Overview

The Balada Injector is not a household name, yet it has had a huge impact on the WordPress community. Dr. Web discovered this cyber activity in
December 2022. Balada Injector injects a backdoor into Linux computers by leveraging known vulnerabilities in premium theme plugins. This pernicious backdoor redirects website visitors to false tech support pages, bogus lottery wins, and push notification frauds.

This operation has raised questions about its nature: is it part of broader scam campaigns or a service offered to malicious actors? Regardless, its impact on website owners and visitors is undeniable.

Longevity and Scale

A startling revelation came in April 2023 when Sucuri reported that Balada Injector had been active since 2017, potentially compromising nearly one million WordPress sites. This indicates a prolonged and persistent threat, making it essential for website administrators to stay informed and take action.

The Latest Campaign: CVE-2023-3169 Exploitation

The most current Balada Injector campaign focuses on CVE-2023-3169, a cross-site scripting (XSS) weakness discovered in tagDiv Composer. This tool works in tandem with tagDiv’s Newspaper and Newsmag themes, which are popular alternatives for WordPress sites. Both themes are premium and are frequently utilized by successful websites with high traffic.

The new campaign of this WordPress security breach began in mid-September, shortly after the vulnerability was disclosed and a proof-of-concept exploit was released. Attackers penetrated WordPress sites using the malicious plugin “wp-zexit.php,” which enabled them to remotely execute PHP code saved in the “/tmp/i” file. Additionally, code injection into templates drove visitors to scam sites controlled by the attackers.


TagDiv, the developer behind the affected themes, has acknowledged the issue and recommended updating to the latest theme version as a preventive measure. Installing a security plugin like Wordfence, scanning the website, and changing all website passwords were also suggested precautions.

Sucuri’s Insights: The Campaign’s Complexity

Sucuri’s report provides a comprehensive view of the Balada Injector campaign. It highlights six distinct attack waves, some of which have variations, underscoring the sophistication of the attackers. Here’s a breakdown of these
malware attacks on WordPress:


  1. Compromising WordPress Sites: Attackers injected malicious scripts from “stay.decentralappps[.]com,” impacting over 5,000 websites.
  2. Creating Rogue Administrator Accounts: Initially, the attackers used the username “greeceman” but later switched to auto-generated usernames based on the site’s hostname.
  3. Embedding Backdoors: WordPress’s theme editor was abused to embed backdoors in the Newspaper theme’s “404.php” file for stealthy persistence.
  4. Utilizing the wp-zexit Plugin: Attackers resorted to this plugin, mimicking WordPress admin behavior and hiding backdoors in the website’s Ajax interface.
  5. Increased Randomization: To evade detection, attackers introduced three new domains and increased randomization across injected scripts, URLs, and codes.
  6. New Domains: The attacks transitioned to using “promsmotion[.]com” subdomains, focusing on three specific injections detected in 92, 76, and 67 websites.


Sucuri’s findings reveal that over 17,000 WordPress sites fell victim to Balada Injector in September 2023, with approximately half of them (9,000) compromised through CVE-2023-3169. This underscores the attackers’ ability to adapt swiftly to maximize their impact.

Defending Against Balada Injector

Protecting your WordPress site
from Balada Injector is of paramount importance. Here are steps to fortify your defenses:

  1. Update tagDiv Composer: Ensure that your tagDiv Composer plugin is updated to at least version 4.2 or later. This update addresses the vulnerability targeted by Balada Injector.
  2. Keep Themes and Plugins Updated: Regularly update all themes and plugins on your WordPress site. Developers often release updates to patch vulnerabilities and enhance security.
  3. Remove Dormant User Accounts: Go through your user accounts and remove any that are no longer active or necessary. Reducing the number of potential entry points for attackers is a wise precaution.
  4. Scan for Hidden Backdoors: Regularly scan your website files for hidden backdoors or malicious code. Security plugins can be valuable in this regard.


The Balada Injector’s recent attacks on over 17,000 WordPress websites serve as a stark reminder of the ever-present threats in the digital landscape.
WordPress vulnerability mitigation is a critical aspect of maintaining a secure and resilient website. It is our responsibility to stay informed, remain vigilant, and take proactive steps to protect our online assets. 

Implementing website security best practices is essential for protecting your online presence. By following the recommended security measures and staying up to date with the latest developments, you can mitigate the risks posed by Balada Injector and other cybersecurity threats. Your website’s safety and the trust of your visitors depend on it!

The sources for this piece include articles in The Hacker News and SC Media


The Balada Injector WordPress Compromise
Article Name
The Balada Injector WordPress Compromise
Discover the latest Balada Injector WordPress compromise and learn how to safeguard your WordPress site from Balada Injector. Stay vigilant.
Publisher Name
Tux Care
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter