tagDiv, the developer of one of the most popular WordPress themes in the world, just activated a trojan horse in their themes taking over thousands of websites. With the release of the Newspaper Theme 11.3 last night, the previous version 11.2 enabled code by developers that disabled websites replacing them with ads. An untold number of websites and news outlets were affected.

Disclosure: Jekko News used this WordPress theme at the time of writing. We have migrated due to this security threat.

In all my years of internet, I’ve never seen a legitimate developer destroy, damage, or dismantle thousands of websites to promote their affiliate link. An affiliate links are links that pay the advertiser when a purchase is made. Whether or not it was a cash grab, the more troubling information about tagDiv came forward: They’ve coded a kill switch into there themes that can takeover Newspaper, Newsmag, and others from the Envato market at any moment.

Like the theme names imply, tagDiv creates WordPress themes for news outlets, magazines, and ecommerce. Websites that were taken offline range from local news to nationally syndicated outlets. The effects of newsrooms being locked out of their content management system can have devastating results. Readers might be under the impression their news websites have been hacked. Even when resolved, downtime for any website can have long lasting results.

As of the time of this article, 114,540 have purchased the Newspaper theme. The theme is available for purchase via the Envato marketplace. Customers’ websites that did not enable auto-update, register the theme, or had other issues were completely taken offline and replaced with an ad from the developer. Other customers reported their legitimately purchased themes had taken down their websites too. Although the tagDiv has disguised this as DRM to prevent piracy, the fact remains they have installed a way to take over websites using their themes.

Affected users can remove the theme directory via FTP to regain control.

Whether it was done to combat Piracy or not, inserting code to take over paying users websites is troubling. The news industry is based on trust, and tagDiv has just shown that the tools they build for that industry cannot be blindly trusted anymore. Furthermore, Envato needs to address the issue at a market place level.

tagDiv has not responded to our requests for comment.

Update 10/13/2021: An Envato representative responded to our request, but needs to escalate it. As such we’re waiting for an official comment.

Update 10/14/2021: Affected buyers are flooding the comments after their websites have been hijacked by the developer.

“NO NO NO! You’ve made updates to block everything! I have your license. I test my website in staging. After the update, I CANNOT DO ANYTHING. Time to go back to the previous theme.”

“You told me we will be able to update the main website while working on staging website. Now what is this (…). I am unable to update my main website. Who has given you the permission to control my website backend. I am unable to switch my theme also because you have locked my website backend.”

Update 10/15/2021: Envato has released this statement via social media. “Thanks for getting in touch. We’re engaging with the author about changes they made to the item that have breached our terms, and will be reviewing how these terms are better understood across the community in the future.”

Foo is the founder of Jekko. Unlike other publishers, Foo attends thousands of events, interviews personalities from startups to Fortune 500s, and blows stuff up on YouTube.

One reply on “tagDiv Just Activated a Backdoor in Their Envato Market WordPress Themes”

Comments are closed.