According to researchers at Wordfence who publicly disclosed the rogue plugin on Tuesday, the backdoor had been present in Display Widgets version 2.6.1 and version 2.6.3 for approximately three months. According to researchers, the plugin had been removed four times from the WordPress.org repository for similar offenses since June.
“I have never seen anything like this before,” said Weston Henry, lead security analyst at SiteLock. “I don’t know what it takes in the .ORG community to permanently delist a plugin. This instance was unique.” SiteLock had also independently identified the Display Widgets as malicious, as did others.
Problems began when the developer of the Display Widgets plugin sold the open source version of the plugin. That new owner released a version (2.6.0) of Display Widgets on June 21 and was quickly accused by competitors of breaking WordPress plugin rules.
According to SEO consultant David Law, the plugin (v2.6.0) was downloading features that enabled the plugin to track IP addresses of users, log traffic to the sites and then shared that data with a third-party website. That prompted WordPress.org to remove the plugin.
“The malicious code is not an exploit. It is a backdoor giving the author access to publish content on websites using the plugin,” Wordfence said.
Display Widgets is an orchestration-type tool that allowed WordPress site administrators to determine and manage widgets running on their site.
Just days after WordPress.org removed the plugin, a new version of Display Widgets (v2.6.1) resurfaced that attempted to skirt WordPress plugin rules by including the tracking features inside a geolocation.php file stored inside the plugin. A day later the plugin was removed only to reemerge days later when the attacker updated the plugin to v2.6.2 .
This new Display Widgets (v2.6.2) version was also quickly identified as problematic. An analysis by Wordfence revealed Display Widgets code would generate spam links on websites to third-party websites. The plugin was removed from WordPress library.
“If a site administrator had that plugin installed it would grab content from a couple of encoded URLs and inject the content,” Henry said. “Ad content would be hidden from the web administrator’s dashboard. It would also check for logged-in users and wouldn’t show the ads or links to a user or administrator.”
On Sept. 2, Display Widget (2.6.3) was back in the repository only to be removed five days later. The reason was fresh reports that the plugin was still inserting spammy links into sites.
The new owners of Display Widgets were unaware of what was going on. “Unfortunately the addition of the GEO Location made the software vulnerable to a exploit if used in conjunction with other popular plugins,” authors, “only identifying themselves as “displaywidget,” wrote in a WordPress forum.
Those behind Display Widgets claim only about 200 websites out of the potential 200,000 running the backdoor version of the plugin were impacted. SiteLock said it’s hard to tell how many sites may have been impacted.
“It is worth considering that the plugin author may have accidentally included an external library that contained someone else’s malicious code without realizing it,” said Wordfence. But, according to its investigation the authors of the plugin are actively maintaining the malicious aspects of the code, “switching between sources for spam and working to obfuscate (hide) the domain they are fetching spam from.”
The smoking gun, according to Wordfence, was that Display Widgets authors admitted they registered two of domains hosing the spam.
“Always take care to confirm the reputability of the software being used on your site,” SiteLock advises. “This means checking out the developers, and reading reviews both of the particular software you’re looking to install as well as others they’ve released. While this particular case was the result of a once-reputable plugin changing hands to a new developer with malicious intentions, it’s still important to maintain best practices.”