If you are using Social Media widget plugin in your WordPress site, make sure to remove it immediately. Sucuri has discovered that the plugin is being used to inject spam into your site.
The Social Media Widget is a simple sidebar widget that allows users to input their social media website profile URLs and other subscription options to show an icon on the sidebar to that social media site and more that open up in a separate browser window.
It is one of the popular plugin with more than 935,000 downloads, it means thousands of WordPress sites are affected.
According to Sucuri malware report, the plugin has a hidden call to a malicious url "hxxp://i.aaur.net/i.php", which is used to inject "Pay Day Loan" spam into the websites running the plugin.
The malicious code was added only in the latest version of the plugin , SMW 4.0. Users are recommended to remove the plugin from their sites. The plugin has been removed from the WordPress Plugin repository.