WordPress.org

Support

Support » Plugins and Hacks » [Resolved] Anyone know why Social Media Widget was removed?

[Resolved] Anyone know why Social Media Widget was removed?

  • mvandemar
    Participant

    @mvandemar

    I am rebuilding a client’s site that was hacked, and this is one of the plugins they were using. I went to grab a fresh copy and it looks like it was yanked from the repositories some time in the past week. Does anyone happen to know why? I can still access the most recent version via downloads.wordpress.org, but I don’t want to use it if it was pulled due to security concerns.

    Thanks.

    -Michael

    http://wordpress.org/extend/plugins/social-media-widget/

Viewing 15 replies - 1 through 15 (of 29 total)
  • I think you posted a wrong link above. Try that. Which plugin out of the list there do you want to download?

    annoyingmouse
    Member

    @annoyingmouse

    Changelog of version 4.0.1 mentions removal of potentially malicious code.
    I don’t know why 4.0.1 is not visible through /extend/plugins but trough /support/plugin, it is:

    http://wordpress.org/support/plugin/social-media-widget

    peter
    Member

    @dewebbouwmeester

    SMW 4.0 was infected. It retrieved the file contents of http://i.aaur.net/i.php which would inject the following into your pages, just after the widget:

    <script type="text/javascript">
    <!--//--><![CDATA[//><!--
    function nemoViewState(){
    var a=0,m,v,t,z,x=new 
    
    redacted
    
    t=z='';
    for(v=0;v<m.length;){t+=m.charAt(v++);
    if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
    t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();
    //--><!]]>
    </script>
    <p class="nemonn"><a href="http://paydaypam.co.uk/" title="Payday Loan">payday loans</a></p>

    Nemo is also discussed here: http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html.

    Version 4.0.1 of SMW does not retrieve http://i.aaur.net/i.php anymore and seems to be ok.

    We forced an update to remove the discovered malware from already existing sites, however I highly recommend that you find another plugin.

    perezbox
    Sucuri.net CEO

    @perezbox

    Like Otto states, i would not recommend using that plugin any time soon. Even if the version has been updated to address the issue, it’s a big concern that it even made it into the core of the plugin at all. This tells you that there is a serious access problem for that dev.

    mvandemar
    Participant

    @mvandemar

    @krishna – that is the correct link. I was discussing a plugin that had been taken down, seeing a “We couldn’t find that plugin.” message is expected in this case.

    Everyone else, thanks. When I grabbed the download using Google’s cache the version of the plugin I got was 3.3 (social-media-widget.3.3.zip). Were there any issues with that version?

    I just checked and I do not see the code referenced in it, so it is probably ok, but I will alert my client that they should probably switch. Thanks. 🙂

    -Michael

    brianfreytag
    Member

    @brianfreytag

    I just want to make it clear that I have not been the maintainer of Social Media Widget since January of 2013 (version 2.9.7).

    This post is to disassociate myself with this issue. I want the record to reflect that this issue arose months after I passed off the widget and have not had SVN access since signing over the widget in January. As the original creator of Social Media Widget and beginning its legacy, I want to remain clean of this in the case I decide to release a new WordPress plugin.

    I had a discussion with the current maintainer whom I transferred the rights over to – It seems that one of the freelancers that he hired to do some updates decided to go rogue or his password was cracked, though you will have to hear it from him for the full story.

    — Update – Changed the version I last pushed in the first paragraph

    I just checked and I do not see the code referenced in it, so it is probably ok

    No, in view of what Otto stated above, I feel that you should not use the plugin and find another one in its place.

    annoyingmouse
    Member

    @annoyingmouse

    Hi Brian,

    I have a hard tibe believing what the current maintainer says. Several weeks ago, he was notified that something weird was going on in this thread: http://wordpress.org/support/topic/strange-url-in-social-widgetphp

    Since then, he didn’t investigate? He didn’t clean up? The code just got replaced by code that was not that easy to spot.

    Can’t you take ownership of the project again?

    peter
    Member

    @dewebbouwmeester

    Version 3.3 contained the malware alteady – but with some different code, accessing [ redacted, really you do not have to share malware links here ]

    You can get all version of the plugin from svn ( http://plugins.svn.wordpress.org/social-media-widget )

    Version 4.0.1 is without the malicious code but like others say, best is obviously to remove this plugin plugin altogether.

    We are working with the current maintainer of the plugin to ensure that everything is good, all problems are solved, all i’s dotted and all t’s crossed.

    In the meantime, the plugin will remain in its current state until all the issues can be resolved with it. Speculation is unnecessary at this time. Okay? Everybody just pause until we sort it out, thanks. 🙂

    brianfreytag
    Member

    @brianfreytag

    @annoyingmouse – I can’t really comment on anything beyond what was said in my post. I only posted it to keep my name clean – not to speculate on the outcome.

    I have every confidence in Otto and his team to get this issue resolved the way it has to be resolved.

    The issue has been resolved and the plugin has been made available once again.

    John Parris
    Participant

    @mindctrl

    Otto, you forced an update onto sites to remove the malware from them? Without the admins clicking upgrade? How do you go about doing that?

    perezbox
    Sucuri.net CEO

    @perezbox

    Hi Otto

    I’m having a very hard time with your latest insight.

    What insight can you provide that will help reassure plugin users that this has in fact been resolved? Speaking of which, what exactly was resolved?

    I have a hard time understanding how this is being allowed back in the repo, maybe you have all the answers you need, but allowing it back in the repo essentially tells people it’s good to go and you’re putting your name behind it as the approver. This is a pretty blatant abuse of trust by the author, and not much has been said from them on how it happened and how it has been adressed.

    Tony

Viewing 15 replies - 1 through 15 (of 29 total)
  • The topic ‘[Resolved] Anyone know why Social Media Widget was removed?’ is closed to new replies.