If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.
The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository. During the past months you would have been warned several times that this plugin has been removed with a ‘critical’ level warning from the WordPress repository.
It turns out that this plugin did have “unknown security issues”. Let’s start with a timeline of what happened to Display Widgets, why it was removed three times from the repository and allowed back in each time and then finally removed again a fourth time a few days ago.
The malicious code is not an exploit. It is a backdoor giving the author access to publish content on websites using the plugin. Thanks to the active WordPress community that have immediately informed WordPress and they removed this plugin immediately from the repository.
Could This Have Been Accidental?
It is worth considering that the plugin author may have accidentally included an external library that contained someone else’s malicious code without realizing it. As per our recent study, it was deliberate and done by the new owner of the plugin who purchased from the original author a few months back.
We shall be releasing a video blog with more inspection and will go into root of this breach. Please keep an eye.