spam have removed the rather popular Social Medial Widget (nearly a million downloads) from the plugin repository. The most recent version of the plugin was found to be injecting spam messages with the social media icons on the sites using the plugin.

It seems that that original author has sold the plugin for an undisclosed price at the start of the year, and someone working on the plugin for the new owners either had his account hacked or maliciously placed the code that generates the spam content into the plugin. A post on the WordPress forums contains comments from the original owner dissociating himself from the issue and WordPress admins stating that they are working with the new owners of the plugin to address the issue.

Nevertheless, the question that comes to mind is: How did a harmless plugin unknowingly become a spam dispatching Trojan? Which plugins can we trust moving forward? One thing to learn is that we should not rush to update our WordPress plugins.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

  • Is it a good idea to advise people not to rush to update their plugins? I thought people are strongly encouraged to keep them updated. If we don’t rush, this implies we’re supposed to wait and do something, but what? Investigate each plugin? How?

    Just curious. 🙂

  • Hi Carla,

    That is a very good question. In a way, this is very similar to installing OS updates (or any software update). Some people rush to install the update, others prefer to wait to see if there are any repercussions, while others test the update in a test environment. Testing an update before installing it is a good idea, however not everyone can afford doing that, in which case, waiting a few days to see what others have to say about the update would be a better idea.

    Keep in mind that not all updates have security fixes. In these cases, there is no need to rush to install the update.

  • Comments are closed.