Security Haiku: Malicious Code in Display Widgets

We coined a new term:

“plugin identity theft”.

Let it not catch on.

A popular plugin in the WordPress.org repository has been “hijacked” (for lack of a better term) by a developer with suspicious intent. The popular plugin “Display Widgets” is described as “Adds checkboxes to each widget to show or hide on site pages“, yet in the last few releases there have been some unexpected new features added: such as adding posts directly to the site and tracking site visitors. Wordfence, a security plugin, wrote a full explanation on how this might have happened, it’s worth a read here.

For our customer’s safety, we have banned the plugin from our customer sites. If your site hosted with Pagely was affected we have already reaching out directly to help you with the concern.

More information about the issue at hand with this plugin can be found on WPVULNDB and in the plugin’s support forum .

Update: The plugin team at WordPress.org have released a patched version of Display Widgets which reverts it back to the last known safe version, but there appears to be no author to continue maintenance on the plugin. The plugin will remained banned on our network until a time that we see someone has taken responsibility for the plugin and the future of patching it’s code.

Which plugins and themes aside from display-widgets should you avoid? See our full list here.

1 Comment

  1. Collins Agbonghama
    Collins Agbonghama

    Great to see Hosting companies warning their users against malicious plugins. As always, Pagely takes the lead.

    Reply