WordPress.org

Make WordPress Core

Opened 2 months ago

Closed 2 months ago

Last modified 2 months ago

#41414 closed defect (bug) (invalid)

Display Widgets Plugin Is A Trojan Horse

Reported by: calvin_ngan Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Widgets Keywords:
Focuses: Cc:

Description

This plusgin
https://wordpress.org/plugins/display-widgets/

creates undetectedable pages with spammy links.
I believe the code can be found in their geolocation.php

https://www.google.com/search?q=geckoandfly.com+payday&ie=utf-8&oe=utf-8&client=firefox-b

I've removed the secret page, but after going thru my MySQL, i found a few codes that related back to the said plugin. things like 3371_last_checked_3771 and displaywidgets_ids, all created by the plugin and inserted in wp-options.

the article and pages cannot be search via post/page, only can be found in wp-options.

ever since it was sold to the new owner, it comes with many funny codes.

Change History (3)

#1 follow-up: @pento
2 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed
  • Version 4.8 deleted

Thank you for the report, @calvin_ngan!

For future reference, it's best to contact the plugin team for plugin-related issues, at plugins@…. I've closed the plugin and contacted the team, for them to review it.

#2 in reply to: ↑ 1 @calvin_ngan
2 months ago

Replying to pento:

Thank you for the report, @calvin_ngan!

For future reference, it's best to contact the plugin team for plugin-related issues, at plugins@…. I've closed the plugin and contacted the team, for them to review it.

Hi, I understand, but I tried searching for a way to contact wordpress but failed to do so, maybe it is a good idea to have a 'report' button on every plugin? The new guy behind Display Widget is up to now good.

#3 @pento
2 months ago

Adding a direct link to report a plugin is on the todo list, it just hasn't been tackled, yet. See #meta1598.

In the mean time, the Plugin Handbook has a page on reporting security issues with plugins.

Note: See TracTickets for help on using tickets.