tagDiv, a Romania WordPress theme developer, has added an advertising backdoor into their Newspaper theme. On April 6th, 2023 with version 12.3.1 security update, tagDiv removed a vulnerability only to add in one of their own – unskippable ads for their services. This comes less than two years after tagDiv took over thousands of websites with a backdoor promoting their affiliate links.

This isn’t an ad, it’s a security vulnerability.

Sites using Newspaper 12.3.1 gives all WordPress users of banner ads for TagDiv’s “Bespoke Web Development and Design Services.” This includes administrators who paid for a license and all newsroom contributors who login. This bad behavior isn’t just spam, but unethical. It disregards WordPress’ best practices, Envato’s ToS, and the fact the website may already have a design.

Cybersecurity experts I spoke to at Carnegie Mellon University described these moves as, “Classic signs of a bad actor.” Spamming customer websites with ads is unethical, but more concerning is the fact tagDiv has done worse in the past. “Let’s be clear, this isn’t an ad, it’s a security vulnerability.” The experts point out that tagDiv adding in the ability to control client websites in the past is troubling – even if it was under the guise of DRM.

Envato’s David Scott said they will investigate the matter. Tagdiv has not responded to our requests for comment. Customers are responding with one-star reviews.

The Newspaper theme has over 130,000 purchases on the Envato Marketplace. Originally, the tagDiv set the bar for developing newsroom tools, but in recent years updates have slowed signaling the product could be End-of-life. The recent ad-hijack of websites could allude to a developer facing financial difficulty.

The WordPress ecosystem has drastically changed since Newspaper’s launch in 2013. Themes such as JegTheme’s JNews and Automattic’s Newspack have started to gain market share. Many, including us, have migrated over. There’s a reason why.

Ultimately, small and mid-size journalism outlets are built on trust. Developers rely on trust too. Currently tagDiv has shown they need to rebuild their reputation as newsrooms fear they are now an auto-update away from major changes.

Update 4/10/23: tagDiv has re-released 12.3.1, but did not document it, adding in the ability to turn off the ad. However, they have hidden the toggle in a system page that users are unlikely to find.

Update 4/20/23: tagDiv’s Simon C. replied to a one-star review implying Newspaper Theme may become ad-supported from here on out. “The advertisements are very helpful…” and “[tagDiv] will also revise the ads and how/where they are displayed, in a future update…”

Foo is the founder of Jekko. Unlike other publishers, Foo attends thousands of events, interviews personalities from startups to Fortune 500s, and blows stuff up on YouTube.