The plug-in “Display Widgets”, numbering more than 200 thousand installations, was finally removed from the plug-ins directory to WordPress after a series of incidents, which resulted in the substitution of malicious code for new releases.
This code was a backdoor allowing the plug-in owners to control the content on the sites using the plug-in and perform the substitution of their ad units. All users of Display Widgets are advised to stop using the 2.6.x branch.
The problems began after the author of the plug-in, interested in developing a commercial analog, sold the “Display Widgets” to another developer, who promised to continue to support the plug-in. June 21, a month after the transaction was completed, the new owner released an update 2.6.0, in which support was provided for locating means using the GeoIP database.
The day after the release, a complaint was made to the administrators of the WordPress plugin directory about the violation of the requirements for the add-ons placed in the catalog. In particular, it was revealed that the plugin loads about 38 MB of data containing information about the geographical binding of IP-addresses from the company Maxmind. After removing the add-on from the catalog, a week later the new owner of the plug-in released an update, which fixed the problem by integrating the GeoIP database into the main package as a geolocation.php file. The addendum was restored in the catalog.
After learning the new code, a violation of the rules was found again – the plugin transmitted information about visitors to an external server, violating the privacy of users. On July 1, the add-on was blocked a second time, and on July 6, release 2.6.2 was released with the default option to disable the sending of logs. The add-on was restored, but on July 23, complaints began to emerge about the appearance of spam on sites with the “Display Widgets” plug-in, confirmed by links to the Googleinfo-icon cache.