Comment on Display Widgets Plugin Review by SEO Dave.
I couldn’t agree more about the plugin team having a real issue here, the Display Widgets plugin has really highlighted failings in their system, a system best described as putting out fires rather than fire prevention: I emailed them over a dozen times about this plugin and they missed the malicious code at least twice when they rechecked the code!!!
The Display Widgets plugin isn’t even a big plugin, the hacked versions were two files, one containing pretty much the original 2.05 code and the geolocation.php file that was 50% tracking code and 50% malicious code (to create a dynamic post to hack sites). I’d hate to think what could be hidden in some of the huge plugins (dozens of php files) in the repository!
I’m just a WordPress user like you and noticed the tracking issue, but wasn’t looking for malicious code, the plugin team should be looking for this sort of thing when a new developer with no track record has consistently broken the plugin repository rules over and over again with a plugin they paid money for: that should have rang alarm bells, a business doesn’t buy a plugin without a plan to monetize and free plugins are difficult to make money from.
This is a case study of incompetence, they missed the malicious code at least twice, missed user reports (including a trac ticket) of malicious code, took days to release the v2.7 update and still haven’t forced a upgrade meaning there’s tens of thousands of WordPress sites running vulnerable 2.6 code which THEY are responsible for allowing in the repository!
Regarding hacked sites, I wrote a comment about how to clean a site: https://stallion-theme.co.uk/display-widgets-plugin-review/comment-page-1/#comment-48617
I’m still not sure how much damage the hacker has done to WordPress sites, so don’t know how much to worry about this.