Update your Social Media Widget plugin for WP - malicious code injecting spam

Discussion in 'BlackHat Lounge' started by white_wolf, May 23, 2013.

  1. white_wolf

    white_wolf Junior Member

    Feb 23, 2012
    Likes Received:
    Those of you using the WP Social Media plugin from author Blink Web Effects, should update the plugin to 4.0.2. As per their changelog below, a malicious code was injected a couple of days ago. The plugin has over 1 mil downloads so I thought that some of you may be using it as well. Upon searching Google for the anchor text, it looks like there are around 10k of results containing already infected websites.

    The bloke's website seems to be registered yesterday with clear details in the whois, so that's pretty fresh spam. Even if the name he used is fake, I would have still ticked the $1 hide whois box when registering the domain. That would be the proper way to do blackhat IMHO. One can't have too much privacy..

    I'm not going to make any more details public here as it would not be a fair game I guess. Maybe he's a member here, don't know, but there's no point in burning a man publicly for trying to make a living. Everyone chooses their own path. Hat's off to him for pulling the stunt, good for me that I noticed it early. ;)

    This is the plugin that I'm talking about: http://wordpress.org/plugins/social-media-widget/changelog/

    Removed malicious code injecting spam
    Our sincere apologies to the entire Wordpress community for allowing the spam injection to infiltrate your websites. We trusted the wrong people with our plugin code and it will not happen again.
    More great things to come
    Remove potentially malicious code.
    Arrange your icons in a custom order!
    You can now adjust the Alt and Title tags for each icon individually.
    Change the "target" properties for each icon individually (open in same or new window).
    Google+ now includes rel="publisher"
    Updated Twitter icon in default pack to the official icon
    Last edited: May 23, 2013