CVE-2023-3169: 
WordPress vulnerability analysis and mitigation

The tagDiv Composer WordPress plugin before version 4.2, which is used as a companion by the Newspaper and Newsmag themes from tagDiv, contains a security vulnerability identified as CVE-2023-3169. The vulnerability was discovered by Truoc Phan and publicly disclosed on August 17, 2023. The issue stems from a lack of authorization in a REST route and improper validation and escaping of parameters (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS v3.1 base score of 6.1 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The flaw exists in the REST route implementation where parameters are neither properly validated nor escaped when being output. The issue was partially addressed in version 4.1, where authorization was added but remained exploitable by administrators, and was fully fixed in version 4.2 (NVD, WPScan).

The vulnerability allows unauthenticated users to perform Stored Cross-Site Scripting attacks. This security flaw has been actively exploited in the wild, with reports indicating that over 9,000 WordPress websites were compromised in September 2023 using this vulnerability as part of the Balada Injector malware campaign (Hacker News).

The vulnerability has been fixed in tagDiv Composer version 4.2. Website administrators are strongly advised to update to this version or later to protect against potential attacks. While version 4.1 introduced partial fixes by adding authorization checks, it remained exploitable by administrators, making the upgrade to version 4.2 crucial for complete protection (WPScan).

The security community has noted this vulnerability's significance, particularly due to its active exploitation by the Balada Injector campaign. The campaign has been observed targeting WordPress sites in recurring waves, with attacks typically intensifying on Tuesdays following weekend initialization (Hacker News).