Display Widgets WordPress Plugin Version Installs Backdoor on WordPress-Powered Websites
The WordPress plugin Display Widgets was discovered to be creating a backdoor on WordPress-powered websites that had the plugin installed. The backdoor code was found in Display Widgets versions 2.6.0 through 2.6.3 released from June through September of this year. Multiple versions of this plugin were removed from the WordPress plugin repository when users and others kept noticing suspicious and malicious behavior such as downloading code from a third-party server and collecting sensitive data such as user IP addresses, user-agent strings, and webpages visited. Additionally, this plugin would create additional pages connected to the host site that were hidden from the website administration panel, use them to publish spam, and link them to other webpages created by the malicious code. After multiple infringements, WordPress finally removed Display Widgets from its plugin depository for good.The NJCCIC recommends users and administrators of WordPress websites currently using the Display Widgets plugin read the Wordfence security report and promptly uninstall the plugin from their websites.