A malicious plugin allowed spam to be uploaded to up to 200,000 websites.
Most content management systems (CMSes) allow third-party plugins, and while that’s generally a good thing – allowing extra features to added to the website – you need to take care about what plugins you install.
For example, a WordPress plugin has been recently exposed as having installed backdoors on thousands of websites, allowing spam to be uploaded onto any of those websites.
According to IT security firm WordFence, the plugin known as Display Widgets should be removed immediately by website owners. The firm said that the last three releases of the plugin have contained code that allows the author to publish any content on an affected site, and that the plugin is used by approximately 200,000 websites, according to WordPress repository.
“The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times,” said Mark Maunder, CEO of WordFence.
Maunder said that people in the WordPress community should not “start any witch hunts”.
“Occasionally plugins change ownership and very rarely, that doesn’t go well. That appears to be what happened in this case,” he said.
Nevertheless, it’s a timely reminder to be careful about installing third-party CMS plugins – and, indeed, for anyone with a website to be vigilant about keeping track of unusual activity on the site.
How it was exposed
Maunder said that the plugin was originally developed by its original author as an open-source plugin but was then sold to others on 21 June. An updated version, 2.6.0 was released by its new owner immediately. WordFence was informed by David Law, a UK-based SEO consultant, that the widget had begun installing additional code and then started downloading data from Law's on server.
On 23 June, WordFence removed Display Widget, and a week later, the new owner released version 2.6.1 of the plugin. This release contained a file called geolocation.php which, no-one realised at the time, contained malicious code. This code allowed the plugin author to post new content to any website running the plugin, to a URL of their choosing.
“Furthermore, the malicious code prevented any logged-in user from seeing the content. In other words, site owners would not see the malicious content. David Law again contacted the plugin team and let them know that the plugin is logging visits to each website to an external server, which has privacy implications,” said Maunder.
On 1 July, the plugin was pulled from the WordPress repository, but then followed by version 2.6.2 on 6 July. Again, included the malicious code referenced above which had still gone unnoticed by anyone.
It was on 23 July when a user, by the name of Calvin Ngan opened a Trac ticket reporting that Display Widgets was injecting spammy content into his website. He included a link to Google results that had indexed the spam and said the malicious code is in geolocation.php.
In September, version 2.6.3 of the plugin was released and it included the same malicious code. Last week, a forum user on WordPress.org reported that spam has been injected into their website on the Display Widgets plugin support forum.
“The authors of the plugin are actively maintaining their malicious code, switching between sources for spam and working to obfuscate (hide) the domain they are fetching spam from,” said Maunder.
The widget was removed permanently on 8 September, but Maunder tracked down the plugin's new buyer to a service called WP Devs, which buys old and abandoned plugins.
His investigations found that the company appears to be run by one person in the US and possibly another in Eastern Europe, judging by linguistic errors made by the poster.
This news story is based on an article that originally appeared at IT Pro.