According to security firm Wordfence, roughly 200,000 WordPress websites were impacted after a plugin they were using was updated to include a backdoor.
“If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.” reported Wordfence.
“The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository.”
The plugin is Display Widgets, the author sold it to a third-party developer on May 19, 2017, for $15,000.
A month after the sale, the plugin was updated by its new owner for the first time showing strange behavior. The plugin had been updated several times since September when it was already removed from the plugin repository multiple times.
The Display Widgets plugin version 2.6.0, released on June 21 was removed from the repository just two days later after experts noticed it was downloading 38 megabytes of code (a Maxmind IP geolocation database) from an external server.
A few days later, on June 30, it was released the version 2.6.1 that was discovered containing a malicious file called geolocation.php and allowed to post new content to websites running the plugin. The code in the page also allowed the author to update and remove content without giving any indication to the site admins.Display Widgets was removed from the WordPress repository on July 1.
Finally, the Display Widgets plugin was removed from the WordPress repository on July 1, anyway, the author continued to issue further releases.
The Version 2.6.2 of Display Widgets was released a week later, the malicious code included was updated, but the plugin was then removed from the plugin repository on July 24. The plugin owner published version 2.6.3 on September 2, also in this case the malicious code was updated to fix a bug. Display Widgets was removed from the WordPress plugin repository on September 8.
Plugin owners speculated that the malicious code was a vulnerability that could be exploited in combination with other plugins to display spam content to users.
According to the experts, WordPress installs using version 2.6.1 to version 2.6.3 of Display Widgets are possibly impacted by the malicious code and might be displaying spam content.
Wordfence highlighted that the new plugin owners may have intentionally acted to compromise the websites using the plugin, because they included a fix for the back door in the latest release, meaning they were aware of its flaw and were exploiting it for malicious purposes.
Further investigation allowed the experts to discover that the man behind plugin spam was the Briton Mason Soiza (23) who bought the plugin in late May. The original author, who goes online with the moniker Strategy11, confirmed that Soiza approached his development team claiming his firm is trying to “build one of the largest WordPress plugin companies” and that they were already distributing over 34 plugins.
One of these plugins dubbed 404 to 301 was found delivering spam for a website owned by Soiza last year. The server used to serve spam to the plugin hosts a website owned. by Soiza. While Soiza claims to have purchased the Display Widgets plugin only earlier this year, experts with Wordfence believe it could be involved in suspicious activities. Wordfence discovered that he used also the Kevin Danna alias and that he has interests in online business such as payday loans, gambling, and escort services, among others.
“He has interests in a wide range of online business that include payday loans, gambling and ‘escort’ services, among others.” reported Wordfence.
Soiza claims to have sold Display Widgets for profit shortly after buying it and denied being involved in any illegal activity.
(Security Affairs – Display Widgets, spam)