Malicious WordPress Plugin that Hijacked over 200,000 Websites Finally Removed

In a new attack of hackers against WordPress, a new malicious software was found.  A WordPress plugin known as Display Widgets was found to have a secret backdoor that would allow hackers inside infected websites and modify content.

According to a report by PC Authorities, there have been at least 200,000 websites infected.

The Plugin

The open source plugin “Display Widgets” was reportedly sold off to a third party this year.  Display Widgets had malicious code. The version 2.6.0 was released.  This new version contained code that could download data from users’ servers.  This anomaly was detected by David Law, a UK-based SEO Consultant.  Law then alerted WordFence, an IT security firm.

Mark Maunder, CEO of WordFence, said in a statement, “The authors of this plugin [Display Widgets] have been using the backdoor to publish spam content to sites running their plugin. During the past three months, the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times.”

Another update of the plugin was released.  Version 2.6.1 contained a file, “geolocation.php” that allowed its developers to modify the content of web pages and post any content they wanted.

It was removed but the plugin returned in September with a new version that included the same malicious code that apparently went unnoticed.

“The authors of the plugin are actively maintaining their malicious code, switching between sources for spam and working to obfuscate the domain they are fetching spam from,” said Maunder.

The Purge

When WordFence CEO Mark Maunder released a statement about the issue, he bluntly said, “If you have a plugin called ‘Display Widgets’ on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.”

The plugin has been removed again and this time we can only hope it is for good.  Last week, though, WordPress announced that there is a clean version of the plugin that is “safe and available.”

WordFence described the malicious code as having originated from a 23-year-old Brit named Mason Soiza.  According to the story, Soiza bought the plugin from Stephanie Wells, from Strategy 11, the original author for $15,000.

When asked Wells said that Soiza was “trying to build one of the largest WordPress plugin companies” which was “already managing more than 34 plugins”.

But the plugin has been ultimately taken down since September 8.  No new updates will be admitted to WordPress.  But for those who already had the plugin installed, WordPress’s Pizdin Dim stated that “the 2.7 version being offered thru the upgrade system is safe and available”.

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright MBP Ninja Affiliate 2017
Tech Nerd theme designed by Siteturner