A WordPress plugin called Display Widgets has been found to contain a backdoor that could allow hackers to access what is posted on the site and modify content on infected pages.
Incidentally, this is not the first time that WordPress sites have been targeted by hackers this year.
PC Authority reports that over 200,000 sites have been affected by this plugin. Security experts recommend that website owners who use the Display Widgets plugin uninstall it at the earliest.
Display Widgets was first created as an open-source plugin, but was reported to have been sold off to a third party in June this year.
Soon after, an update coded 2.6.0 was released by the new owners, which contained code that could download data from users' servers, notes WordFence. The IT security firm was alerted to this issue by a UK-based SEO consultant, David Law, who identified this threat on his own site.
"The authors of this plugin [Display Widgets] have been using the backdoor to publish spam content to sites running their plugin. During the past three months the plugin has been removed and readmitted to the WordPress.org plugin repository a total of four times," Mark Maunder, CEO of WordFence, said in a statement.
The plugin received another update called the 2.6.1 version, which contained a file identified as "geolocation.php". This contained a malicious code that allowed authors of the plugin to post any content that they wanted on the host site to a URL of their choice.
As the malicious code did not allow any user who was logged in to see content, owners of sites infected with this update could not see what new content had been posted on their site, Maunder said. The plugin was also found to be logging visits to each website on an external server.
Law contacted the developers about these issues after which the plugin was pulled from WordPress temporarily, Maunder added.
Display Widgets reportedly re-emerged in the WordPress repository early in July, with another update labelled 2.6.2. This also contained the malicious code, which apparently went unnoticed.
Later in the month, a user complained that Display Widgets had been spamming his site. He included a link to Google results that had indexed the spam.
In September, another update, version 2.6.3, was released by the plugin's operators and a WordPress forum had picked up on this and created a report that Display Widgets had injected spam into their websites.
"The authors of the plugin are actively maintaining their malicious code, switching between sources for spam and working to obfuscate the domain they are fetching spam from," said Maunder.
The plugin was sold on 8 September and is now owned by a firm identified as WP Devs, says the report. Maunder added that the WordPress community should not start any witch hunts in this case.
"Occasionally plugins change ownership and very rarely, that doesn't go well. That appears to be what happened in this case," he said.