As divers as 200,000 websites may have been running a WordPress plugin that considered third parties to publish any content they wished on victims’ plats via a backdoor.The popular Display Widgets plugin was removed from the formal WordPress.org plugin repository after it was found collecting information take website visitors and inserting content into sites. Sneakily, the plugin warded logged-in users from being able to see the spammy content it was introducing into situations, presumably in an attempt to avoid attracting the unwanted attention of website administrators.Interest ti over Display Widgets plugin were first raised in June by British SEO counselor David Law, after he spotted it breaking various repository rules and potentially injuring WordPress users’ sites.
Over the coming weeks, the WordPress.org plugin crew removed offending version of Display Widgets from their situate – only for it to be replaced with new versions containing malicious code.WordPress refuge firm WordFence published a warning earlier this week that the plugin was not to be trusted, uncovering that Exhibit Widgets’ code had changed ownership shortly before complaints began to be go of its malicious behaviour.Sure enough, if you visit the website of Strategy11 (the primary developers of the plugin) you’ll see confirmation that the plugin was sold to its new owners in May:
Stephanie Wells of Procedure11 confirmed to WordFence that her company had sold the Display Widgets plugin to someone entreated “Mason Soiza” for $15,000 earlier this year, after he exposed a desire to take over its development and “make it work better” with the overdue versions of WordPress.“Mason Soiza”, who also appears to go by the name of “Kevin Danna”, figures to be an interesting character – and WordFence has done some detailed detective guide investigating his various business ventures, glamorous lifestyle, and shady online labours.However, this article’s purpose isn’t about what Soiza’s intents may have been as he bought up a number of different popular website plugins.Preferably, I’d like to take this opportunity to remind all website owners of the concern of recognising the risks that can come through third-party plugins.Still if you have used a WordPress plugin for many years without egress, there is always the risk that ownership of the plugin could outmoded into the hands of someone with malicious intentions – opening you up to the jeopardy of a supply chain attack.Supply chain attacks – which goal victims by compromising the systems of an upstream hardware or software provider – are fashionable increasingly popular, and the rewards for criminals can be so great that they may pull someones leg no qualms about paying thousands of dollars to buy complete control terminated plugin code running on your webserver rather than undertaking to hack their way into the original developers’ systems.If you give a third-party WordPress plugin allowance to run on your server, you are trusting it to behave responsibly. In Display Widgets’ state it was being used to create spammy pages advertising financial and conduct services, but it could just as easily have been used in an go to infect visiting computers with malware – and potentially damage your comrades’s brand.For now, the team at WordPress.org have replaced the poisoned edition of Show Widgets with a “safe” version (version 2.7), which has excised the malicious encypher.According to WordPress.org, there won’t be any more updates to Display Widgets as the plugin is being kill down for good, and the code is not available for new users to download.Obviously websites using Publicize Widgets would be wise to update their systems as soon as viable, and then (probably) remove the plugin altogether as it will no longer be backed.But it’s only a matter of time before the next WordPress plugin (or Joomla, or Drupal, or…) encounters itself under new ownership, putting the safety and security of websites and their companies at risk.My advice? Keep plugins to a minimum on your website, skim reviews to judge which plugins are trusted the most (although this wouldn’t participate in helped much in Display Widgets’ case), and raise an querulous eyebrow if one of the plugins you use is unexpectedly rub out from the WordPress.org repository.For more information on “Mason Soiza” and how Array Widgets turned malicious, be sure to read Wordfence’s fascinating write-up.Columnist’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not like it reflect those of Tripwire, Inc.