WordPress Plugin Display Widgets Spam Links Injection (2.6.3.1) - Vulnerability Database

WordPress Plugin Display Widgets Spam Links Injection (2.6.3.1)

Description

WordPress Plugin Display Widgets is injecting spam links into the website's content, thus publicizing external websites to search engines without the authorization of the website's owner. WordPress Plugin Display Widgets version 2.6.3.1 is vulnerable; prior versions may also be affected.

Remediation

Disable the plugin until a fix is available

References

https://stallion-theme.co.uk/display-widgets-plugin-review/

https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of-plugin-security-exacerbates-malicious-takeover-of-display-widgets/

https://wordpress.org/support/topic/display-widgets-plugin-v2-6-3-1-includes-hacking-code/

https://wordpress.org/support/topic/display-widget-inserted-spammy-links/

https://wordpress.org/support/topic/payday-loans-seo-spam/

https://www.pluginvulnerabilities.com/2017/09/12/more-of-wordpress-poor-handling-of-plugin-security-as-seen-through-malicious-takeover-of-display-widgets/

https://wptavern.com/display-widgets-plugin-permanently-removed-from-wordpress-org-due-to-malicious-code

Related Vulnerabilities

Severity

High

Classification

CWE-610

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N