• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

DOJ takes action against 22-year-old running RapperBot Botnet

 | 

Google fixed Chrome flaw found by Big Sleep AI

 | 

Pharmaceutical firm Inotiv discloses ransomware attack. Qilin group claims responsibility for the hack

 | 

A hacker tied to Yemen Cyber Army gets 20 months in prison

 | 

Exploit weaponizes SAP NetWeaver bugs for full system compromise

 | 

Allianz Life security breach impacted 1.1 million customers

 | 

U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog

 | 

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 

Manpower data breach impacted 144,180 individuals

 | 

U.S. CISA adds Microsoft Internet Explorer, Microsoft Office Excel, and WinRAR flaws to its Known Exploited Vulnerabilities catalog

 | 

Critical FortiSIEM flaw under active exploitation, Fortinet warns

 | 

Charon Ransomware targets Middle East with APT attack methods

 | 

Hackers leak 2.8M sensitive records from Allianz Life in Salesforce data breach

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Backdoored Display Widgets Plugin potentially affects 200,000 WordPress installs abusing them to spam content

Backdoored Display Widgets Plugin potentially affects 200,000 WordPress installs abusing them to spam content

Pierluigi Paganini September 15, 2017

Around 200,000 WordPress websites using the Display Widgets Plugin were impacted after it was updated to include malicious code.

According to security firm Wordfence, roughly 200,000 WordPress websites were impacted after a plugin they were using was updated to include a backdoor.

“If you have a plugin called “Display Widgets” on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.” reported Wordfence.

“The authors of this plugin have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times. The plugin is used by approximately 200,000 WordPress websites, according to WordPress repository.”

display widgets plugin-repo-page

The plugin is Display Widgets, the author sold it to a third-party developer on May 19, 2017, for $15,000.

A month after the sale, the plugin was updated by its new owner for the first time showing strange behavior. The plugin had been updated several times since September when it was already removed from the plugin repository multiple times.

The Display Widgets plugin version 2.6.0, released on June 21 was removed from the repository just two days later after experts noticed it was downloading 38 megabytes of code (a Maxmind IP geolocation database) from an external server.

A few days later, on June 30, it was released the version 2.6.1 that was discovered containing a malicious file called geolocation.php and allowed to post new content to websites running the plugin. The code in the page also allowed the author to update and remove content without giving any indication to the site admins.Display Widgets was removed from the WordPress repository on July 1.

Finally, the Display Widgets plugin was removed from the WordPress repository on July 1, anyway, the author continued to issue further releases.

The Version 2.6.2 of Display Widgets was released a week later, the malicious code included was updated, but the plugin was then removed from the plugin repository on July 24. The plugin owner published version 2.6.3 on September 2, also in this case the malicious code was updated to fix a bug. Display Widgets was removed from the WordPress plugin repository on September 8.

Plugin owners speculated that the malicious code was a vulnerability that could be exploited in combination with other plugins to display spam content to users.

According to the experts, WordPress installs using version 2.6.1 to version 2.6.3 of Display Widgets are possibly impacted by the malicious code and might be displaying spam content.

Wordfence highlighted that the new plugin owners may have intentionally acted to compromise the websites using the plugin, because they included a fix for the back door in the latest release, meaning they were aware of its flaw and were exploiting it for malicious purposes.

Further investigation allowed the experts to discover that the man behind plugin spam was the Briton Mason Soiza (23) who bought the plugin in late May. The original author, who goes online with the moniker Strategy11, confirmed that Soiza approached his development team claiming his firm is trying to “build one of the largest WordPress plugin companies” and that they were already distributing over 34 plugins.

One of these plugins dubbed 404 to 301 was found delivering spam for a website owned by Soiza last year. The server used to serve spam to the plugin hosts a website owned. by Soiza. While Soiza claims to have purchased the Display Widgets plugin only earlier this year, experts with Wordfence believe it could be involved in suspicious activities. Wordfence discovered that he used also the Kevin Danna alias and that he has interests in online business such as payday loans, gambling, and escort services, among others.

“He has interests in a wide range of online business that include payday loans, gambling and ‘escort’ services, among others.” reported Wordfence.

Soiza claims to have sold Display Widgets for profit shortly after buying it and denied being involved in any illegal activity.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Display Widgets, spam)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Cybercrime Display Widgets Hacking Pierluigi Paganini plugin spam

you might also like

Pierluigi Paganini August 20, 2025
Britain targets Kyrgyz financial institutions, crypto networks aiding Kremlin
Read more
Pierluigi Paganini August 20, 2025
DOJ takes action against 22-year-old running RapperBot Botnet
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    DOJ takes action against 22-year-old running RapperBot Botnet

    Cyber Crime / August 20, 2025

    Google fixed Chrome flaw found by Big Sleep AI

    Security / August 20, 2025

    Pharmaceutical firm Inotiv discloses ransomware attack. Qilin group claims responsibility for the hack

    Data Breach / August 20, 2025

    A hacker tied to Yemen Cyber Army gets 20 months in prison

    Cyber Crime / August 20, 2025

    Exploit weaponizes SAP NetWeaver bugs for full system compromise

    Security / August 20, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT