Around 200,000 WordPress websites were impacted after a plugin they were using was updated to include malicious code, Wordfence reports.
Dubbed Display Widgets, the plugin was sold by its original author to a third-party developer on May 19, 2017, for $15,000. Roughly one month after that, the plugin was updated by its new owner and started displaying malicious behavior. By early September, the plugin had gone through several updates and had been already removed from the plugin repository multiple times.
The first malicious Display Widgets iteration was version 2.6.0, released on June 21 and removed from the repository two days later. It was downloading 38 megabytes of code (a large Maxmind IP geolocation database) from an external server.
On June 30, version 2.6.1 was released, containing a malicious file called geolocation.php and designed to post new content to websites running the plugin. The code also allowed the plugin author to update content and remove content and prevented logged-in users (such as site owners) from seeing the content. Display Widgets was removed from the WordPress repository on July 1.
Version 2.6.2 of Display Widgets was released a week later with modified malicious code and was removed from the plugin repository on July 24. The plugin owner published version 2.6.3 on September 2 and even included a bug fix in the malicious code. Display Widgets was removed from the WordPress plugin repository on September 8.
Before the plugin was removed the fourth time, the plugin owners suggested that the malicious code was a vulnerability that could be exploited in combination with other plugins to display spam content to users. According to Wordfence, the code was in fact a backdoor providing the authors with access to publish content on websites using the plugin.
All sites using version 2.6.1 to version 2.6.3 of Display Widgets are possibly impacted by the malicious code and might be spamming their users with unwanted content. And while the new plugin owners may say they were unaware of the malicious behavior, Wordfence claims otherwise, pointing out that they included a fix for the malicious code in the latest release, meaning they were aware of its functionality.
The person who bought the plugin in late May is Mason Soiza, 23, of the U.K., the researchers have discovered. The former authors at Strategy11 revealed that Soiza approached them claiming his firm is trying to “build one of the largest WordPress plugin companies” and that they were already managing over 34 plugins.
One of these plugins appears to be 404 to 301, which was found to deliver spam last year. The spammed content was for a website owned by Soiza, while the server used to serve spam to the plugin serves another website he owned. However, Soiza apparently claims to have purchased this plugin only earlier this year.
Wordfence also discovered that he would sometimes use the Kevin Danna alias and that he has interests in online business such as payday loans, gambling, and escort services, among others. Contacted by the researchers, Soiza claims to have sold Display Widgets for profit shortly after buying it.