Skip to main content

Varist continues to find examples of Balada Injector compromised websites via unpatched tagDiv WordPress plugins.

Long time WordPress site infection campaign, the Balada Injector gang, has been running since 2017 and was first observed taking advantage of an Unauthenticated Stored XSS vulnerability (CVE-2023-3169) in September 2023. Not long after, it was reported on by cybersecurity specialist Sucuri.

Despite this being reported several months ago, Varist is continuing to observe malicious code infections using this vulnerability with several variants now being seen.

Varist Protection

Varist’s engines provide ongoing protection against this threat with several variants being detected:

To date, Varist detections include:

  • JS/Balada.A.gen!Eldorado
  • JS/Agent.CDY.gen
  • JS/Redir.AJG!Eldorado
  • JS/Agent.CEJ.gen!Eldorado

Website Hosting Vendors and Site Owners: Stay Safe, Stay Updated
This should be a warning for all website hosting vendors and owners to properly manage website security. Whilst cybersecurity vendors, such as Varist, can protect end-users from such threats, it remains the responsibility for website hosting vendors and site owners to play an active role in protecting their digital assets. Here’s how:

  • Regular Updates
    Ensure that tagDiv Composer, along with all other plugins and themes, are updated to their latest versions. These updates often contain critical security patches that protect against newly discovered vulnerabilities.
  • Comprehensive Security Audits
    Regularly conduct security audits of your WordPress site to identify and address new vulnerabilities.
  • Educate and Inform
    Stay informed about the latest cybersecurity threats and best practices. Educating yourself and your team can significantly reduce the risk of falling victim to attacks like the Balada Injector.

For more information as to how Varist’s engines can boost your product or services security, visit us at or drop us a line at [email protected].