In December 2022 [1] [2] [3] [6], a cybersecurity research firm discovered a campaign known as Balada Injector, which targeted over 17,000 WordPress websites. This campaign exploited vulnerabilities in premium theme plugins [5], injecting a Linux backdoor into compromised sites and redirecting visitors to fraudulent pages [2]. The Balada Injector campaign has been active since 2017 and has already compromised nearly one million WordPress websites [2].


In September 2023 [1] [2] [3] [4] [6], Sucuri [2] [4] [5], the cybersecurity research firm [4], observed six distinct attack waves that compromised over 17,000 WordPress websites [2]. These attacks specifically targeted the CVE-2023-3169 vulnerability, which had been disclosed shortly before the campaign began. The attackers utilized a malicious plugin called wp-zexit.php to remotely send and execute PHP code on compromised websites. Additionally, they injected code into templates to redirect users to scam sites [2].

To protect against the Balada Injector campaign, webmasters and site owners are advised to upgrade the tagDiv Composer plugin to version 4.2 or later [5], as this vulnerability was exploited in the attacks. It is also recommended to regularly update all themes and plugins, remove dormant user accounts [2], and scan files for hidden backdoors [2]. These measures will enhance the security of WordPress websites and mitigate the risk of compromise.


The Balada Injector campaign has had significant impacts, compromising a large number of WordPress websites and redirecting visitors to fraudulent pages. However, by following the recommended security measures, webmasters and site owners can protect their websites from this campaign. It is crucial to stay vigilant and regularly update themes, plugins [1] [2] [3] [4] [5] [6], and user accounts to prevent future compromises.