WordPress.org

Ready to get started?Download WordPress

Forums

Achievements for WordPress
[Plugin: Achievements for BuddyPress] Possible exploit - Unknown link has been inserted (4 posts)

  1. Erlend Sogge Heggen
    Member
    Posted 2 years ago #

    I've encountered a rather worrying issue on our live site where we're using the Achievements plugin. In the "give" screen where there's a prompt saying "Select people to give this Achievement to.", a link has been inserted somehow. Here's the link I'm given if I hover over it:
    http://i.imgur.com/3Y39S.jpg
    (see bottom left corner)

    I can not confirm that this issue is specific to Achievements, but I have yet to discover any other exploit on our site.

    Please reply with your recommended course of action.

    http://wordpress.org/extend/plugins/achievements/

  2. adrian7
    Member
    Posted 2 years ago #

    See your .htaccess and your .php files as your blog might be the target of an Perl/Shellbot attack.

    I have had those kind of issues with several blogs last weeks, but I can't tell is a plugin or wordpress related issue.

    Maybe one of your ftp users got hacked or you server's security is not hardened enough.

    Please keep me updated as I am interested in this too.

  3. neosin
    Member
    Posted 2 years ago #

    Many FREE plugins and templates have injection code that will insert ads or links in your site. The code can be encrypted in PHP or javascript and can be quite hard to find. I would suggest scanning a plugins source code for any unusual code as they sometimes randomize the display of these ads/links and included external files.

    If you find what appears to be an encrypted string post a question about it in the plugin or template page to make more people aware of the issue.

    so rule of thumb, if something is encrypted ask yourself why; what are they hiding and do you really want this potentially dangerous code running on your site.

    Also of note, if you happen to download cracked or stolen Plugins or Templates, the pirates have a tendency to add their own code. So just don't bother with that stuff, it's seriously more trouble than it's worth.

  4. Paul Gibbs
    BuddyPress Lead Developer
    Plugin Author

    Posted 1 year ago #

    I have no awareness of any security issues. If you were able to figure out if this definitely was Achievements, and that it persisted when you deleted the plugin and reinstalled it from WordPress.org, I'll investigate.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic