MalCare Blocks 5 Million+ XSS Attacks Exploiting the tagDiv Plugin Vulnerability

MalCare recently blocked over 5 million cross-site scripting (XSS) attacks on its customer websites. In what is likely the biggest attack campaign of the year, MalCare saw a sudden jump from the regular, at 20 times the average attacks blocked in a day.

The surprising facet of this vulnerability is that it is not new, and a patch has been available for months. The attacks attempted to exploit unpatched sites and were thwarted by MalCare. This incident serves as a reminder of the constant vigilance you get when you have MalCare protecting your WordPress site.

What happened?

Mid-December, MalCare saw a sudden but huge uptick in the number of XSS attacks faced by its customer websites. On just 14th December, MalCare blocked more than 5.3 million XSS attacks, their origins spread across multiple IPs from Europe and Asia.

All these attacks targeted a security vulnerability in tagDiv Composer, a companion plugin to the widely popular tagDiv Newspaper and Newsmag premium themes. This vulnerability has a CVSS score of 7.2 (High) and a NIST score of 6.1 (Medium), making it critical to update the themes and the companion plugin at the earliest.

CVSS Score
NIST Score

What is the tagDiv plugin vulnerability?

Plugin information

Vulnerable plugin version: v4.1 and earlier

Patched plugin version: v4.2 and later

About the vulnerability

The tagDiv Composer plugin is a part of the popular premium themes Newspaper and Newsmag. Together, they have about 140,000 active installs.

The vulnerability in this plugin allowed attackers to add malicious scripts on web pages that execute every time a user accesses the compromised web pages. In this scenario, a web page stores the data (scripts, in this case) that it receives from an untrusted source (hackers, in this case) and includes that data when it sends an HTTP 200 (successful) response to a user who accesses the web page.

This opens up an avenue for hackers to not only take over control of affected websites but also infect, and re-infect, other websites by using the user’s device as a launch point. This entire process is known as a stored XSS attack and could become a very persistent attack if not dealt with at the earliest.

If you have reason to suspect that your WordPress site might have fallen victim to attacks exploiting this vulnerability, obtain your site’s access or firewall logs and search for the following phrases:

/wp-json/tdw/save_css

/wp-admin/admin-ajax.php

If you see logs with this location mentioned, it might be that your site is compromised. Take immediate action to update the tagDiv Newspaper and/or Newsmag themes and install MalCare to remove all traces of malware on your site.

Additional information

tagDiv vulnerability malware code

Origin IP addresses for these attacks

101.99.94.141

80.82.76.214

111.90.149.196

185.100.87.144

91.237.249.38

93.174.93.127

91.237.249.63

176.222.55.139

176.222.55.137

Origin sites using these IP addresses

hostkey.com 

hostkey.ru

fiberxpress.net 

flokinet.com 

shinjiru.com.my

Origin countries for these attacks

Netherlands

Russia

Romania

Malaysia

Who discovered this vulnerability?

The tagDiv Composer vulnerability was discovered by security researcher Truoc Phan on August 17, 2023. While tagDiv released a patch for this vulnerability with v4.1, it was only a partial fix, until the release of v4.2.

How is your WordPress site at risk?

Your WordPress site is at risk if it runs the Newspaper or Newsmag themes with the tagDiv Composer plugin v4.1 or earlier.

Hackers can exploit this vulnerability to:

infect sites with malicious scripts that could lead to phishing, clickjacking, and similar attacks,

use sites as command-and-control (C2) channels for further attacks across networks, organizations, and other applications on the internet,

install hidden backdoors to reinfect sites that have been cleaned,

create fake administrator accounts in infiltrated sites to take them over completely and make them inaccessible to site admins and users,

obtain sensitive information like credentials, personally identifiable details, etc. stored in site databases, etc.

As a result, addressing this vulnerability becomes critically important. At the time of writing, more than 13,000 sites around the world have not updated to the latest version, despite it being about 4 months since the vulnerability has been publicly disclosed. This not only leaves the sites vulnerable to attacks, but also their visitors as well.

Additionally, it is a sobering reflection on the current state of the WordPress ecosystem, where users avoid timely updates either due to a lack of awareness or the fear of breaking their sites.

How MalCare protected sites from these attacks

Even hidden vulnerabilities present danger. If security researchers find them first, they typically alert plugin creators, who take swift action to develop fixes. Moreover, vulnerabilities could exist for years on sites. And if cyber criminals discover these weaknesses, they could exploit countless sites, which is an alarming prospect.

Virtual patching has its place but tends to be reactionary, as it responds to threats instead of blocking them upfront. It relies on the promptness of firewall providers to distribute patches in a timely manner.

The time lapse between the detection of a vulnerability and its resolution is a risky interval where websites remain unprotected. Moreover, virtual patches are temporary solutions, not permanent fixes.

General firewalls don’t cut it for specific vulnerabilities, offering broad rather than WordPress-focused defense. They lack the tailor-made rules required to address WordPress-specific security issues.

Enter MalCare’s Atomic Security. It uses advanced algorithms and customized rule sets to sense patterns in vulnerabilities, thwarting attacks proactively. It shields your WordPress site even before plugin patches are available. When combined with MalCare’s robust malware detection capabilities, Atomic Security acts as an elite guard for your online presence.

How else does MalCare protect WordPress sites?

Beyond Atomic Security, MalCare ensures WordPress site protection through a series of comprehensive measures:

Early malware detection: MalCare vigilantly scans your site daily and automatically. This routine checkup is designed to pinpoint malware the moment it tries to infiltrate, allowing for the swiftest response to threats.

Malware removal: Should malware slip through, MalCare’s potent malware removal tool steps in. It meticulously expunges any malevolent code, restoring the integrity and safety of your site with minimal fuss.

Vulnerability alerts: MalCare stays on the lookout for weak spots within your plugins and themes. If it detects vulnerabilities, you’ll receive instant alerts. This gives you the opportunity to patch up these soft spots before they’re exploited.

Bot protection: Bots can bog down your site, affecting speed and performance. MalCare includes a robust line of defense against these automated pests, thus optimizing your site’s speed and enhancing user experience.

Secure backups: In the face of unforeseeable disasters, MalCare’s automatic, offsite backups stand as a fail-safe. They create a reliable safety net for your content, ensuring that you can bounce back quickly, whatever comes your way.

Together, MalCare’s suite of tools creates fortification around your WordPress site, delivering a holistic security approach that’s both proactive and resilient.

The post MalCare Blocks 5 Million+ XSS Attacks Exploiting the tagDiv Plugin Vulnerability appeared first on MalCare.

Posted in

About Us

I believe that everyone should have a mechanic that they can trust and after spending several years helping out various customers for large companies I've seen my fair share of issues.

Honesty, Integrity, and Compassion are what we share with everyone that we work with. Stop scouring the internet for help and see how we can help you today.

Our Services

Website Migrations

Plugin & Theme Updates

IDX Broker Customizations

Facebook Chatbots

DNS & Email Integrations

logo

E-mail: contact@thewpmechanic.com