The Display Widgets WordPress plugin, with over 200,000 installs, changed ownership and the new authors added backdoor code to it on June 30th. This code allowed them to bypass site authentication and publish spam to websites using the plugin. The spam was hidden from the site admin and any logged-in user.
The new plugin owners used this back door repeatedly to publish spam to affected websites. During the past 3 months, the plugin has been removed and allowed back into the WordPress plugin repository four times. During much of that time, the plugin had this backdoor which no one noticed.
Today on the blog, we cover this story in some detail. We include a timeline of what happened, how the malicious code functions and who is behind this spam campaign. We also share how customers were warned by Wordfence about this plugin when it was removed from the repository and were able to remove it from their own sites.
Wordfence Founder & CEO