Description
WordPress Plugin Display Widgets is injecting spam links into the website's content, thus publicizing external websites to search engines without the authorization of the website's owner. WordPress Plugin Display Widgets version 2.6.3.1 is vulnerable; prior versions may also be affected.
Remediation
Disable the plugin until a fix is available
References
https://stallion-theme.co.uk/display-widgets-plugin-review/
https://wordpress.org/support/topic/display-widgets-plugin-v2-6-3-1-includes-hacking-code/
https://wordpress.org/support/topic/display-widget-inserted-spammy-links/
Related Vulnerabilities
WordPress Plugin OPS Old Post Spinner 'ops_file' Parameter Local File Include (2.2.1)
Envoy Proxy Use of Incorrectly-Resolved Name or Reference Vulnerability (CVE-2019-9901)
MongoDb Resource Management Errors Vulnerability (CVE-2013-3969)
phpMyAdmin Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2009-1285)