Description

WordPress Plugin Display Widgets is injecting spam links into the website's content, thus publicizing external websites to search engines without the authorization of the website's owner. WordPress Plugin Display Widgets version 2.6.3.1 is vulnerable; prior versions may also be affected.

Remediation

Disable the plugin until a fix is available

References

https://stallion-theme.co.uk/display-widgets-plugin-review/

https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of-plugin-security-exacerbates-malicious-takeover-of-display-widgets/

https://wordpress.org/support/topic/display-widgets-plugin-v2-6-3-1-includes-hacking-code/

https://wordpress.org/support/topic/display-widget-inserted-spammy-links/

https://wordpress.org/support/topic/payday-loans-seo-spam/

https://www.pluginvulnerabilities.com/2017/09/12/more-of-wordpress-poor-handling-of-plugin-security-as-seen-through-malicious-takeover-of-display-widgets/

https://wptavern.com/display-widgets-plugin-permanently-removed-from-wordpress-org-due-to-malicious-code

Related Vulnerabilities

Lighttpd Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2014-2324)

WordPress Plugin OPS Old Post Spinner 'ops_file' Parameter Local File Include (2.2.1)

Envoy Proxy Use of Incorrectly-Resolved Name or Reference Vulnerability (CVE-2019-9901)

MongoDb Resource Management Errors Vulnerability (CVE-2013-3969)

phpMyAdmin Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2009-1285)

Severity

High

Classification

CWE-610 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update