An estimated one million WordPress websites have been compromised during a long-lasting campaign that exploits “all known and recently discovered theme and plugin vulnerabilities” to inject a Linux backdoor that researchers named Balad Injector.The campaign has been running since 2017 and aims mostly to redirect to fake tech support pages, fraudulent lottery wins, and push notification scams.According to website security company Sucuri, the Balad Injector campaign is the same one that Dr. Web reported in December 2022 to leverage known flaws in several plugins and themes to plant a backdoor.
Source: Massive Balada Injector campaign attacking WordPress sites since 2017