Backdoor found in WordPress Plug-in

WordPress is one of the most popular platforms to create dynamic websites. From past two and half months, a WordPress plug-in namely “Display Widgets” is installing backdoor to WordPress websites. According to the researches, this backdoor is present in version 2.6.1 to 2.6.3 which was released during 30th June to 2nd September. The official WordPress team has removed this plug-in from their repository.

Display Widget Timeline

The original Display Widget plug-in was developed by Stephanie Wells. With the help of this plug-ins, website owners can control which WordPress widget will be displayed on the website. Later, Stephanie Wells sold the open source version to a new developer. A month after that, the new owner released the first new version namely V2.6.0 on June 21.

Just a day after, David Law, who is the author of another plug-in namely Display Widgets SEO Plus complained the team that V2.6.0 is violating the WordPress plug-in rules as it downloads over 38MB of code from a third-party server. This code contained tracking features and collect data such as IP address, browsing history, user-agent strings and so on. Later, the author released V2.6.1 on July 1. This time, David claimed that it contained a malicious backdoor that allows the plug-ins owner to connect to a remote website and create a new post. A day later, the official team of again removed this plug-in from the repository. The third breakdown happened when author released Version 2.6.2 to the plug-in repository on July 6. For few days, the plug-in didn’t show any malicious behavior. However, this didn’t last for too long. On July 23, a user named as Calvin Ngan filed a complaint claiming that plug-in contains [creating] undetectedable [sic] pages with spammy links. Later, official investigator confirmed that this version was also creating new pages where link of other sites were inserted. This incident was followed by a fourth breakdown. This time, the version 2.6.3 has the same data breach issue. On Sept 7, another user claimed that this plug-ins insert spammy links on his website.

In recent update from Wordfence researchers, they have continued to take dig at the new owner and they believe that they have identified the person behind the plug-in. They claims that he is the same person which was behind hijacking the 404 and 301 WordPress plug-in.