Poisoned WordPress ‘Display Widgets’ plugin finally purged

You know how you are regularly reminded that good “security hygiene” includes immediately installing all software patches and updates?

Apparently not all the time.

Wordfence reported this week that since June, about 200,000 WordPress websites had been corrupted after a plugin they were using called Display Widgets was updated with malicious code – multiple times.

The warning from Wordfence CEO Mark Maunder was blunt:

If you have a plugin called ‘Display Widgets’ on your WordPress website, remove it immediately. The last three releases of the plugin have contained code that allows the author to publish any content on your site. It is a backdoor.

Actually, Maunder said, from June 22 through September 8, the plugin had been “removed and readmitted to the WordPress.org plugin repository a total of four times. This time we hope it is permanent,” he said. WordPress said this week that yet another, clean version of the plugin is now “safe and available”.

According to Wordfence, the alleged source of these multiple malicious updates, described in a couple of lengthy blog posts, is a 23-year-old Brit named Mason Soiza.

It started last May, when Stephanie Wells, of Strategy 11, original author of the plugin, sold it to Soiza for $15,000 because it was an open-source version and she wanted to concentrate on a premium version. She said Soiza told her that he was “trying to build one of the largest WordPress plugin companies” which was “already managing more than 34 plugins”.

Maunder was unable to confirm the 34, but did confirm that one of those plugins was “404 to 301”, found last year to deliver spam. The Briton alleged to be behind these plugins owns the domains that are used for spamming with that plugin. So, it is probably not surprising that shortly after his purchase of Display Widgets, the problems began, with the release of version 2.6.0 on June 21.

David Cameron Law, an SEO consultant and author of a competing plugin named Display Widgets SEO Plus, noticed it immediately, and emailed WordPress.org on June 22 telling them that version 2.6.0 was breaking WordPress plugin rules by downloading more than 38MB of code from the author’s own server. He said the code contained tracking features that collected data from websites using the plugin – data including IP addresses, domains and the pages being viewed.

Maunder credited Law with being

… the first person to raise a concern about this plugin and pursued his case relentlessly on the WP forums with, at times, resistance from the plugin authors and others.

Law’s notice prompted the first takedown of the plugin, on June 23. But version 2.6.1 arrived June 30, which was allowed back into the repository even though it contained a file called geolocation.php because “no one realized at the time [it] contained malicious code,” Maunder said.

Once again, Law notified WordPress – this time that the plugin was logging website visits to an external server. A day later, on July 1, that version was removed. But 2.6.2 arrived just five days later, on July 6, even though it still contained the malicious code.

That version remained until July 24, when the plugin was again taken down after users complained about it injecting spam content into their websites.

Finally, 2.6.3 was released on September 2, and this time, Maunder said, it included a minor fix to the malicious code “which makes it clear that the authors themselves are maintaining the malicious code and understand its operation”.

It prompted more complaints about the plugin delivering spam to websites, so it was taken down, apparently for good, on September 8. WordPress’s Pizdin Dim posted that the plugin was no longer available, followed by a post from Samuel Wood, who said for existing users, “the 2.7 version being offered thru the upgrade system is safe and available”.

And what of the 23-year-old Briton? Maunder was able to get into email contact with him, who said that he had sold Display Widgets for $20,000, “to a company in California who made me sign a NDA”.

He also said he had been diagnosed with lung cancer and had “only a few months/maybe a year left on this earth. So I sold up all my plugins to numerous people.”

Maunder is skeptical of the lethal disease story. Besides being involved in a string of other sketchy enterprises – payday loans (he is listed as CEO of Payday Loans Now), gambling and escort services – the man appears to be living large, posting on Facebook that he had attended the Monaco Grand Prix earlier this year, an drinking $16 cocktails at a New York bar. We think he’ll be with us for a while.