Widget Logic and the undesired JavaScript injection

Timothée Allemmoz reported on the WordPress France Community Slack  that the Widget Logic plugin seemed to be hijacked. Let see this together. (TL;DR It’s infected but I’ll give you a solution to keep it!)

Investigation

First thing to do: go to the wp.org page of this plugin and in the reviews. We then quickly learn that it has currently been closed for 11 days at the time of this article. The last reviews say that a JS file is included.

We can also check the version and see that it has been update 2 weeks ago:

Only the eye

Now let’s just look at the difference in the file structure on SVN and besides the fact that we are going from 0.57 to 5.7, a change occurs from 6:

We’re going from “wpchefgadget, alanft” to “Widget Logic” at widgetlogic.org. It’s still possible to change the author while staying the same person, especially if they make this plugin pro/premium, but here the site clearly shows that it’s free (for now!). Who changed that??

In the code

Now let’s look at a diff, we immediately find this code:

Ouch, I already like it less… the included file widget_cfg.php is just a kind of fake home library to return fixed data:

I have framed the 2 data that interests us, all this to simply form this link to a JavaScript file that will be included in your sites: https://widgetlogic.org/v2/js/data.js?t=123456 (you can click, no danger).

By beautifying this code we find lots of things including this:

Sorry what? Football data?? but why?!

Because this plugin adds a widget or Gutenberg block with live football data:

But what the point? None! In any case, the link to the .js on their site is present EVERYWHERE on your site and the block you get looks like this:

So I was saying “no relation”… The problem with leaving a .js coming from a very uncertain external source, unlike a link that points to a gafam (yes it’s still more secure, sorry) is that you just have to hack their site to insert another JS code in ALL the installations at once…

FIX

Beyond the fact that their 6.0.3 update is lower than their 6.02 version which is a typo, but sorry guys, 6.02 = 6.2, so it’s higher than the new 6.0.3! the next 6.0.4 will be even better… you need at least a 6.2.x or 6.2.x.x! Ouch…

Let’s skip this point and see how you can keep the extension without having their code, 2 solutions:

1. You literally delete the code indicated in “In the code” from widget.php.
2. You add a mu-plugin to unhook everything.

The disadvantage of point 1 is that the next version (with good versioning number only) will put the code back in place if they left it. The advantage is that it’s easy to do.

The disadvantage of point 2 is that you have to (know how to) create a mu-plugin. The advantage is that it is sustainable!

Point 1

• Open the file /widget-logic/widget.php from your FTP,
• Delete the lines of code indicated in the first capture of “In the code” above,
• Save.

Point 2

• Create the file /wp-content/mu-plugins/secupress-widget-logic-fix.php on your FTP,
• Paste the following code:

• <?php // SecuPress
  add_action( 'wp_head', 'secupress_fix_widget_logic_603_1' );
  function secupress_fix_widget_logic_603_1() {
  	wp_dequeue_script( 'widget-logic_live_match_widget' );
  }
  
  add_action( 'plugins_loaded', 'secupress_fix_widget_logic_603_2' );
  function secupress_fix_widget_logic_603_2() {
  	remove_action('enqueue_block_assets', 'widget_logic_widget_enqueue_block_editor_assets');
  	remove_action('init', 'widget_logic_init_block');
  	remove_action('enqueue_block_assets', 'widget_logic_enqueue_block_editor_assets');
  	remove_action('wp_loaded', 'widget_logic_add', 999);
  	remove_filter('rest_pre_dispatch', 'widget_logic_clearing', 10, 3);
  	remove_filter('render_block', 'widget_logic_block_render', 10, 2);
  }
  
  add_action( 'wp_loaded', 'secupress_fix_widget_logic_603_3' );
  function secupress_fix_widget_logic_603_3() {
  	unregister_widget( 'Widget_Logic_Live_Match_Widget' );
  }

  secupress-widget-logic-fix.php
• Save.

So, do you use this plugin?