Description

WordPress Plugin Display Widgets is injecting spam links into the website's content, thus publicizing external websites to search engines without the authorization of the website's owner. WordPress Plugin Display Widgets version 2.6.3.1 is vulnerable; prior versions may also be affected.

Remediation

Disable the plugin until a fix is available

References

https://stallion-theme.co.uk/display-widgets-plugin-review/

https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of-plugin-security-exacerbates-malicious-takeover-of-display-widgets/

https://wordpress.org/support/topic/display-widgets-plugin-v2-6-3-1-includes-hacking-code/

https://wordpress.org/support/topic/display-widget-inserted-spammy-links/

https://wordpress.org/support/topic/payday-loans-seo-spam/

https://www.pluginvulnerabilities.com/2017/09/12/more-of-wordpress-poor-handling-of-plugin-security-as-seen-through-malicious-takeover-of-display-widgets/

https://wptavern.com/display-widgets-plugin-permanently-removed-from-wordpress-org-due-to-malicious-code

Related Vulnerabilities

WordPress Plugin Tierra's Billboard Manager SQL Injection (1.14)

WordPress Plugin Social Sharing-Kiwi Security Bypass (2.1.0)

WordPress Plugin Smart Slideshow Arbitrary File Upload (2.4)

WordPress Plugin OptionTree Cross-Site Scripting (2.5.3)

Drupal Core Cross-Site Scripting (8.0.0 - 9.1.15)

Severity

High

Classification

CWE-610 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Tags

Missing Update