Connect with us

Hi, what are you looking for?


Application Security

Backdoored Plugin Impacts 200,000 WordPress Sites

Around 200,000 WordPress websites were impacted after a plugin they were using was updated to include malicious code, Wordfence reports.

Around 200,000 WordPress websites were impacted after a plugin they were using was updated to include malicious code, Wordfence reports.

Dubbed Display Widgets, the plugin was sold by its original author to a third-party developer on May 19, 2017, for $15,000. Roughly one month after that, the plugin was updated by its new owner and started displaying malicious behavior. By early September, the plugin had gone through several updates and had been already removed from the plugin repository multiple times.

The first malicious Display Widgets iteration was version 2.6.0, released on June 21 and removed from the repository two days later. It was downloading 38 megabytes of code (a large Maxmind IP geolocation database) from an external server.

On June 30, version 2.6.1 was released, containing a malicious file called geolocation.php and designed to post new content to websites running the plugin. The code also allowed the plugin author to update content and remove content and prevented logged-in users (such as site owners) from seeing the content. Display Widgets was removed from the WordPress repository on July 1.

Version 2.6.2 of Display Widgets was released a week later with modified malicious code and was removed from the plugin repository on July 24. The plugin owner published version 2.6.3 on September 2 and even included a bug fix in the malicious code. Display Widgets was removed from the WordPress plugin repository on September 8.

Before the plugin was removed the fourth time, the plugin owners suggested that the malicious code was a vulnerability that could be exploited in combination with other plugins to display spam content to users. According to Wordfence, the code was in fact a backdoor providing the authors with access to publish content on websites using the plugin.

All sites using version 2.6.1 to version 2.6.3 of Display Widgets are possibly impacted by the malicious code and might be spamming their users with unwanted content. And while the new plugin owners may say they were unaware of the malicious behavior, Wordfence claims otherwise, pointing out that they included a fix for the malicious code in the latest release, meaning they were aware of its functionality.

Advertisement. Scroll to continue reading.

The person who bought the plugin in late May is Mason Soiza, 23, of the U.K., the researchers have discovered. The former authors at Strategy11 revealed that Soiza approached them claiming his firm is trying to “build one of the largest WordPress plugin companies” and that they were already managing over 34 plugins.

One of these plugins appears to be 404 to 301, which was found to deliver spam last year. The spammed content was for a website owned by Soiza, while the server used to serve spam to the plugin serves another website he owned. However, Soiza apparently claims to have purchased this plugin only earlier this year.

Wordfence also discovered that he would sometimes use the Kevin Danna alias and that he has interests in online business such as payday loans, gambling, and escort services, among others. Contacted by the researchers, Soiza claims to have sold Display Widgets for profit shortly after buying it.

Related: New “WPSetup” Attack Targets Fresh WordPress Installs

Related: Many WordPress Sites Hacked via Recently Patched Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.