Security Haiku: Malicious Code in Display Widgets

Security Haiku: Malicious Code in Display Widgets


We coined a new term:

“plugin identity theft”.

Let it not catch on.

A popular plugin in the WordPress.org repository has been “hijacked” (for lack of a better term) by a developer with suspicious intent. The popular plugin “Display Widgets” is described as “Adds checkboxes to each widget to show or hide on site pages“, yet in the last few releases there have been some unexpected new features added: such as adding posts directly to the site and tracking site visitors. Wordfence, a security plugin, wrote a full explanation on how this might have happened, it’s worth a read here.

For our customer’s safety, we have banned the plugin from our customer sites. If your site hosted with Pagely was affected we have already reaching out directly to help you with the concern.

More information about the issue at hand with this plugin can be found on WPVULNDB and in the plugin’s support forum .

Update: The plugin team at WordPress.org have released a patched version of Display Widgets which reverts it back to the last known safe version, but there appears to be no author to continue maintenance on the plugin. The plugin will remained banned on our network until a time that we see someone has taken responsibility for the plugin and the future of patching it’s code.

Which plugins and themes aside from display-widgets should you avoid? See our full list here.

Subscribe for an easy once monthly email of updates.

  1. Collins Agbonghama

    Great to see Hosting companies warning their users against malicious plugins. As always, Pagely takes the lead.

    Collins Agbonghama

Leave a Reply

Your email address will not be published. Required fields are marked *

How can we help?

Contact our sales team today for WordPress hosting solutions.

Request Your Quote
Categories