Two days ago, the Sicuri Blog reported a serious security problem with the Social Media widget for WordPress, one of the world’s most popular open source blogging platforms.
To quote:
If you are using the Social Media Widget plugin (social-media-widget), make sure to remove it immediately from your website. We discovered it is being used to inject spam into websites and it has also been removed from the WordPress Plugin repository.
This is a very popular plugin with more than 900,000 downloads. It has the potential to impact a lot of websites.
The plugin has a hidden call to this URL: httx://i.aaur.net/i.php, which is used to inject “Pay Day Loan” spam into the web sites running the plugin.
The authors report that the malicious code was added only 12 days ago when version 4.0 of the plug-in was released and The H Online IT news site reports that the package had a change of maintainers back in January this year.
Besides removing this particular widget, users are advised to find another plug-in to replace it.