The Social Media Widget, a free Plugin for WordPress, has been found to be injecting WordPress websites with Spam Links to web sites offering Pay Day Loans. Technical details can be found at the SUCURIBlog.

This popular Plugin, with over a million downloads, allows WordPress owners to input their social media website profiles and other subscription options as an icon that will allow direct access to their Facebook, Twitter, LinkedIn, Instagram, Flickr, Pinterest, Skype, and other social media pages. It is currently one of the 20 most popular WordPress add-ons.

The author/publisher of this Plugin, Brendan Sheehan (of the SEO company Media Compass) claims that the malicious PHP code was a ““a mistake that we will not let happen again.” According to Sheehan, and WordPress Admins, the source of the malicious code was a 3rd party contractor hired to update the SMW plugin. These changes were made without the author/publisher’s knowledge.

WordPress initially removed the Plugin from their repository but after review has allowed it back under a probationary watch so long as it stays clean of malicious links.

It is highly recommended that all WordPress users with the Social Media Widget Plugin immediately DELETE the installed version of Social Media Widget from their WordPress Dashboard and install a clean copy of version 4.0.2 the Plugin.