- Feb 4, 2016
- 2,520
For the past two and a half months, a WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites across the Internet.
The backdoor code was found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2).
The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository. At the time it was removed, the plugin was installed on more than 200,00 sites, albeit we cannot be sure how many of these were updated to a version that included the malicious behavior.
More surprising is that WordPress.org staff members removed the plugin three times before for similar violations. A history of events is compiled below, put together with data aggregated from three different investigations by David Law, White Fir Design, and Wordfence.
Plugin sold to new developer in May
The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites.
Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase.
A month after buying the plugin in May, its new owner released a first new version — v2.6.0 — on June
The backdoor code was found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2).
The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository. At the time it was removed, the plugin was installed on more than 200,00 sites, albeit we cannot be sure how many of these were updated to a version that included the malicious behavior.
More surprising is that WordPress.org staff members removed the plugin three times before for similar violations. A history of events is compiled below, put together with data aggregated from three different investigations by David Law, White Fir Design, and Wordfence.
Plugin sold to new developer in May
The original Display Widgets is a plugin that allowed WordPress site owners to control which, how, and when WordPress widgets appear on their sites.
Stephanie Wells of Strategy11 developed the plugin, but after switching her focus to a premium version of the plugin, she decided to sell the open source version to a new developer who would have had the time to cater to its userbase.
A month after buying the plugin in May, its new owner released a first new version — v2.6.0 — on June
Last edited by a moderator:
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
