A WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites and has been installed more than 200,000 times. The backdoor code was found between Display Widgets version 2.6.1 (released June 30) and version 2.6.3 (released September 2). The WordPress.org team has intervened and removed the plugin from the official WordPress Plugins repository. Despite the number of downloads, it is not known how many of these were updated to a version that included the malicious behavior.
ORIGINAL SOURCE: Bleeping Computer