WordPress.com have removed the rather popular Social Medial Widget (nearly a million downloads) from the plugin repository. The most recent version of the plugin was found to be injecting spam messages with the social media icons on the sites using the plugin.
It seems that that original author has sold the plugin for an undisclosed price at the start of the year, and someone working on the plugin for the new owners either had his account hacked or maliciously placed the code that generates the spam content into the plugin. A post on the WordPress forums contains comments from the original owner dissociating himself from the issue and WordPress admins stating that they are working with the new owners of the plugin to address the issue.
Nevertheless, the question that comes to mind is: How did a harmless plugin unknowingly become a spam dispatching Trojan? Which plugins can we trust moving forward? One thing to learn is that we should not rush to update our WordPress plugins.
Get the latest content on web security
in your inbox each week.