Now, let me first say that the information I have received about this over the past few days has literally made me sick to my stomach.
The fact that people are so willing to do just about anything to make money online is scary, to put it mildly.
For those of you who have Wordfence installed on your WordPress sites (which should be all of you), you may very well be aware of this as the Wordfence team has been doing a great job trying to make everyone aware of this.
So here's the deal in a nutshell...
There is a person (or group of people) purchasing legitimate (and in some cases, very popular) WordPress plugins and altering the code to add a backdoor that would allow them to add spam articles to any sites that had the plugin installed.
According to the two articles from the Wordfence blog (that I have to links to below), these spam articles were being used to promote shady businesses such as payday loan companies, etc. What's even more outrageous, however, is that Wordfence uncovered information that the companies that were being promoted using the malicious spam code were companies that are/were actually owned and run by the SAME person who injected the malicious code into the plugins!
The information that Wordfence currently has estimates that there may be as many as 34 plugins or more that have the ability to post to your blog, edit posts, remove posts, replace your affiliate links with theirs, etc.
So far, Wordfence only knows of 4 plugins that are most likely owned by this group.
1. Display Widgets plugin - 200,000+ installs
2. Slimstat Analytics plugin - 100,000+ installs
3. 404 to 301 plugin - 100,000+ installs
4. Finance Calculator plugin - 600+ installs
The original creator of the "Finance Calculator" plugin has come out and said he has retaken control of the plugin and has since removed all malicious code. However, if it were me and I had any of those 4 plugins installed, I would definitely remove them and any trace of them from my WP install.
Also, keep an eye out for any posts appearing on your blog that you know you did not make. As the malicious code can somehow make the spam posts invisible to the site owner, I would maybe try to view your site through a proxy or VPN.
I'm not a programmer and have no idea how they can make the spam post invisible to the site owner, but I'm assuming it's something to do with blocking it from the owner's IP address. I could be very wrong about that. Maybe someone with programming knowledge could comment on that.
I would advise you to read these two articles in their entirety from the Wordfence blog as they have the complete story and much more information:
Followup post exposing the spammer: