The Display Widgets plugins has been removed from the WordPress Plugin repository after it was found to contain malicious code that was used to inject spam content onto the pages of WordPress sites. Display Widgets should be uninstalled immediately. The plugin should be removed even if the site’s owners and admins see no sign their site is affected because the malicious content is hidden from logged-in users.

Display Widgets has over 200,000 active installations. It’s a simple plugin that allows WordPress site owners to choose whether widgets are displayed on pages. For most of its life, Display Widgets was a legitimate plugin that did exactly what it claimed to do. After it was acquired by a new group of developers, malicious code was added so that the plugin could call out to an external server and inject spam content into the site’s pages.

Developers are free to transfer the ownership of their plugins, and when they do there’s always a risk that the new developers will abuse the trust and goodwill built by the original owners. In this case, the problem was identified and mitigated quite quickly.

Because the plugin has been removed, WordPress users will no longer be able to install it. If it is already installed, the site’s administrators will have to delete it. There is no standard mechanism for the WordPress project to inform site owners that a plugin has been removed. That’s worrying because users don’t often check back on the status of plugins once they’re installed. Tens of thousands of sites may have Display Widgets installed without the owner having any idea of the risk.

The ability to inject content into a web page is a coup for online criminals. They can use that ability to inject advertising, links that redirect to malware sites, or code that infects visitors. In this case, it appears the compromised plugin injected SEO spam.

The term SEO spam, or spamdexing, covers various techniques for getting web pages indexed and ranked in search engines. One technique is to inject links to the malicious pages into the content of legitimate sites.

Plugins that inject SEO spam are not unusual. Pirate or “nulled” premium plugins often include malicious code of this sort, which is why it’s never a good idea to install a pirate plugin on your site.

Although removing the plugin is advisable, the WordPress plugin team has released a new version (2.7) of the plugin without the malicious code. They rolled the code back to an older version without the malicious code and then released it as a new version. You won’t be able to find the new version on the plugin repository, but you should be able to upgrade to it if Display Widgets is already installed.

The WordPress plugin team is not allowing the plugin to be adopted by another developer, so the “safe” version should be considered a stopgap measure until an alternative can be found, not a permanent solution.