Social Media Widget, a WordPress plugin used for social sharing was recently discovered to be introducing spam into websites that utilize the plug-in. With nearly one million downloads, Social Media Widget showcases a security vulnerability of the WordPress platform.
Analysts at Securi Security were the first people to recognize Social Media Widget’s behavior and to recommend to users that they remove the plugin from their site. They describe the plugin was interjecting “payday loan” spam into user sites, and that the behavior could be tracked back about two weeks.
The plug-in has since been removed from the WordPress.org plug-in repository but potentially remains active on hundreds of thousands of sites.
The plug-in has since been updated and reappears with the following verbiage on their changelog (many thanks to Sean Charles for the update):
- Removed malicious code injecting spam
- Our sincere apologies to the entire WordPress community for allowing the spam injection to infiltrate your websites. We trusted the wrong people with our plugin code and it will not happen again.
- More great things to come
- Remove potentially malicious code.
Photo By USAF (USAF (slightly resized)) [Public domain], via Wikimedia Commons