Description

WordPress Plugin Display Widgets is injecting spam links into the website's content, thus publicizing external websites to search engines without the authorization of the website's owner. WordPress Plugin Display Widgets version 2.6.3.1 is vulnerable; prior versions may also be affected.

Remediation

Disable the plugin until a fix is available

References

https://stallion-theme.co.uk/display-widgets-plugin-review/

https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of-plugin-security-exacerbates-malicious-takeover-of-display-widgets/

https://wordpress.org/support/topic/display-widgets-plugin-v2-6-3-1-includes-hacking-code/

https://wordpress.org/support/topic/display-widget-inserted-spammy-links/

https://wordpress.org/support/topic/payday-loans-seo-spam/

https://www.pluginvulnerabilities.com/2017/09/12/more-of-wordpress-poor-handling-of-plugin-security-as-seen-through-malicious-takeover-of-display-widgets/

https://wptavern.com/display-widgets-plugin-permanently-removed-from-wordpress-org-due-to-malicious-code

Related Vulnerabilities

WordPress Plugin WP eCommerce HTML Injection (3.8.7.1)

CKEditor Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2021-26271)

WordPress Plugin Ultimate Membership Pro SQL Injection (3.3)

WordPress Plugin Cross-RSS Directory Traversal (1.7)

WordPress Plugin WP Forum Server Cross-Site Scripting and SQL Injection Vulnerabilities (1.7.3)

Severity

High

Classification

CWE-610 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update