A breached version of a popular plugin – the Social Media Widget plugin – was uploaded to the WordPress plugin repository in recent weeks. The breach was discovered last night.
- WordPress.org has updated the plugin to remove the malicious code.
- We immediately initiated a system-wide update of the plugin on all Synthesis sites using it. This update is complete.
- The plugin is being removed from the repository and we strongly advise you to find an alternative plugin as soon as possible.
Find an alternative
We debated simply removing the plugin immediately from all sites using it, but that could have compromised the functionality of sites using it. We didn’t want to do that.
But do not be lulled into a false sense of security by the safe version 4.0.1. It’s just there as a placeholder, created by the WordPress team so the malicious code could be removed without immediate impact to functionality. But it won’t be updated long-term.
So it is safe to use for now, but you need to find an alternative. Unsupported plugins are not good for your long-term security.
Note: at this time we do not have an official recommendation for an alternative. Feel free to comment below if you know of or find a good one and we’ll vet it.
If you would like more details about the breach, read about it on Sucuri’s blog here. They were all over this last night, which is why we continue to value their partnership in keeping your websites secure.
The WordPress team was also all over this. They realized the breach quickly, removed the plugin from the repository, submitted the stable update in its place to prevent its users from having to forgo its functionality, and they will most likely never allow the plugin back in the repository.