Thanks for the information. It is very helpful I have a number of sites using Display Widget and I’m quite concerned about the damage it can cause.
I use WordFence and it showed that version 2.6.3 needed to be updated to v2.7. I haven’t yet found any information about a version 2.7. Have you seen anything?
Is it possible to simply comment out or delete the malicious code from version 2.6.3? That seems like it could be the most expedient route.