Beware: adds malicious js code!

  • TheWatcher2

    (@thewatcher2)


    11 years ago

    Do not install this plugin on your WordPress site. It adds malicious js code including links to the infamous tracking site cc.chango.com. This site tracks users everywhere they go on the internet and CSS Plus adds code to every page or post, which includes the js code to contact the cc.chango.com site. Every page I tried to load from my site hung and waited as it tried to contact cc.chango.com before loading. I deactivated and deleted the CC Plus plugin and the malicious js code disappeared. DO NOT USE THIS PLUGIN!!!!!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    It adds malicious js code including links to the infamous tracking site cc.chango.com.

    That’s very serious. Do you know where in the plugin source code that happens? I haven’t yet installed this plugin.

    Thread Starter TheWatcher2

    (@thewatcher2)

    If you install it on a test site, use Firebug to inspect the code on the page that uses the plugin. Search for the chango name and you will see the js code immediately come up. If you then deactivate or delete the CSS Plus plugin, the js code will disappear. I wouldn’t be surprised if the plugin was sponsored by this corporate site to secretly insert their code into WordPress development. The end result is to be able to track everyone that visits a site and do it surreptitiously. This shouldn’t be allowed in WordPress plugins.

    Thread Starter TheWatcher2

    (@thewatcher2)

    I haven’t found where the code appears within the plugin itself, however. I would investigate further, but I consider the software to be too dangerous to have even on my test site. I don’t know what other silent tracking schemes or bots might be included within the plugin’s code.

    Plugin Author paulo4lzn

    (@paulo4lzn)

    Hello,
    Do can you display where you found this error, please?

    Thread Starter TheWatcher2

    (@thewatcher2)

    Well this is interesting. I was brave enough to again download the plugin and install it on my test site (not the live site). Amazingly, this time the cc.chango.com javascript code did not appear on the pages. Did you remove it? Even so, this time after plugin activation, no pages or posts would load completely from my test site. I again deactivated it and removed the plugin and everything is back to working normally. Seeing that I tested the appearance of the chango js code several times–activating and deactivating the CSS Plus plugin and seeing it appear and disappear–you must have removed it from the latest downloadable version. This plugin is a nice concept that is needed in WordPress development, but I no longer trust that it doesn’t contain secret code to do other things.

    This is a serious accusation. Can you tell us if you figured out what was causing the malicious injection? Was it this plugin or was it a virus on your computer/server?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Beware: adds malicious js code!’ is closed to new replies.