> In 2017, a buyer using the alias “Daley Tias” purchased the Display Widgets plugin (200,000 installs) for $15,000 and injected payday loan spam.

Is that it? Going through all that trouble just for some spam? Surely more lucrative criminal actions can be imagined with a compromised WP plugin?