Sucuri CTO Daniel Cid and COO Tony Perez recently discovered that the Social Media Widget plugin for WordPress was being used to inject spam into Web sites -- and with just under a million downloads, the plugin had the potential to impact a significant number of sites (h/t E Hacking News).
"The plugin has a hidden call to this URL: httx://i.aaur.net/i.php, which is used to inject 'Pay Day Loan' spam into the web sites running the plugin," Cid and Perez note in a blog post.
Still, Cid and Perez say the real concern wasn't the spam injection. "That happens all the time -- it’s the fact that the malicious payload found its way in the core files," they write. "It was then uploaded to the WordPress.org Plugin Repository ... the attacker is doing this directly to the core of the plugin. So, either it’s the author, or his credentials are compromised."
In a comment on the Sucuri blog post, developer Brian Freytag noted that he's no longer the maintainer of the Social Media Widget plugin, and wrote, "I had a discussion with the current maintainer whom I transferred the rights over to - It seems that one of the freelancers that he hired to do some updates decided to go rogue or his password was cracked, though you will have to hear it from him for the full story."
On the WordPress support forums, WordPress' Samuel Wood explained, "Basically, the current maintainer is not a professional programmer, and put his trust in the wrong freelancers to do the coding work for him. Though he did check in the malicious code, it's clear from our communications that he was unaware of its nature. ... So the plugin is back up for now, and as long as it stays clean, it's fine."