ddadian

I got rid of them by going directly to the Plugin Files,
and modifying: lightbox-gallery/lightbox-gallery.php file

and commenting out the line:
wp_enqueue_script( 'tooltip', '/' . PLUGINDIR . '/' . $plugin_dir . '/js/jquery.tooltip.js', array('jquery'), '', $in_footer );

like this:

// wp_enqueue_script( 'tooltip', '/' . PLUGINDIR . '/' . $plugin_dir . '/js/jquery.tooltip.js', array('jquery'), '', $in_footer );

So I will just have to remember to check after plugin update, if they did not make the way for people to bypass the tooltip hover, I will need to make sure that line is commented out.

If anyone is looking at this topic, I had the same problem. I am using shipping zones set up with table rate for each zone. I did not have to reenter any values, but I just had to re-save the table configuration for each zone:

Shipping zone > Zone Name (then choose the Configure Shipping Methods) > Table Rate, and then clicked on Save Shipping Method button on the bottom left.

I forgot to mention that in the affected themes, in addition to the footer.php and header.php being manipulated, there were also 2 unauthorized files, called 902990shell.php and green.php.

Thanks, DYLdev, that’s what I did with pseudo img file.

I ended up restoring everything from a backup, and had to go through the google webmasters tools to request review of the site.

I suspect there is a vulnerability somewhere in the plugins. So far I see “styles” directory being a common denominator – I know 2 instances are not large enough number to make a full judgement, but that’s what I have to go on this far. Perhaps some plugins that allow style manipulation have vulnerability in the script? May not be the case, but it may be worth looking into.

Follow-up. I actually ran the content of the base64_decode via https://www.base64decode.org/ and it turns out, that it decodes into the (I assume same) javascript that I removed from the header. So was it (re)generating not just from the injection (since header.php file was affected), but also via encode?

I also checked other themes I have on the affected domain. THEY ALL HAVE BEEN INJECTED WITH THIS CODE!

So, I paid closer attention to the javascript code that I was able to decode, and it pointed me to the fact that there was an unauthorized folder in one of the plugins (cms-tree-page-view) More specifically, in its styles subfolder, there was a “common_configs” folder that the malicious javascript was referring to. It seems to be similar, if not identical, to what kavdev was referring to a week ago – just a different plugin.

So, the “common-configs” contains 2 more files, “tracks.php” (also encoded), and “img.jpg” – which is not actually an image (cannot be read via image editor).

“tracks.php”, when decoded, shows all kinds of scary stuff. “img.jpg”, when decoded, shows attempt to inject iframe, and URL redirect, judging by the line

<div style='position:absolute;left:-3532px;'><iframe width='10px' src='{%%EK_URL%%}' height='10px'></iframe></div>

Now, literally while I was updating this post, my page was blocked by google with message “Reported Attack Page!” So I will stop here now, and follow-up later…

Just to add to a collective bin of information on this one:

I had the same issue; I am concerned because it looks like a third party mining the data; I am specifically concerned for integrity of user names and their passwords etc. I don’t have proof that it is the case, but I know there are user tracking plugins available that collect that data; so it is feasible that someone uses it for malicious reasons – since it seems like an unauthorized code injection.

I had both footer.php and header.php files injected with the code: footer was modified with what looks like the “licence key” or “certificate” of some sort. The header was injected with javascript. I made an emotional mistake of just removing those lines of code (in the header) without saving them in the text file to investigate further, but saved the footer part, the one that starts with

<!--visitorTracker--><?php @ob_start();@ini_set("display_errors",0);@error_reporting(0);echo base64_decode("

and ends with

");?><!--visitorTracker-->

(and everything in between looks like an encrypted key)

I don’t think any other files were affected on my end; at least I could not find any more at this time.

I have the same issue, I had to move the client’s domain to another server, and then realized how many images the theme had created – the blog has about 28 posts, a few have a photo gallery from events in the news section – and we have almost 2GB – yes two gigabytes – worth of images! there are way too many custom post sizes. It is indeed a beautiful, simple and clean theme, but if I can’t regulate the excessive amount of thumbnails the theme creates I may need to use something else.

Forgot to add – using it with WP 4.2.2

Same here

Please check if what you need is under AutoPost > Word Output Settings > Excerpt length (number of words) and then choose from dropdown.

yes

Map appears after I disable “Root Relative URLs” plugin

I found my culprit – a “Root Relative URLs” plugin conflict.

Go to Appearance > Menus, select menu you want to add calendar to.

Then look to the left of the menu structure, under Pages there will be another item named “Events, expand it – and in that tab, choose the middle item “View All” (because by default it shows “Most Recent” and it is probably a bunch of actual recent events). So, after you switch to “View All” , tag the “Events” checkbox and click “Add to menu”, and then drag to the place you want it to be on the menu. Lastly don’t forget to save the menu. ??

And if for any reason it fails, alternative option would be to add it as a link (treat it as any other external links you would put on the menu, just don’t open in the new window).

debugger throws an error “google not defined”
on lines 34/35 in embedded-maps.js ::

function useAddress() {
var geocoder = new google.maps.Geocoder();