Pushit plug-in using malicious code? | WordPress.org

dtjb
(@dtjb)

16 years, 10 months ago

Before installing this plugin, read this.

This part of the plugin sends an SMS via the given SMS gateway. As usual for these types of services, you have to send the username and password of your account with the SMS service in the URL call to the web service.

Yet towards the end of this send function, there’s a call to PHP’s mail function. It sends the following to smart.maxx@gmail.com:

* receiving number
* message sent
* username of SMS service account
* password of SMS service account
* the short number used
* the sender name/number to be displayed on the receiving mobile
* whether the SMS was sent OK

Apparently the authors of this plugin deem that this information is something that someone with the e-mail address smart.maxx@gmail.com should have about every SMS you, or your visitors, attempt to send using their plugin.

http://wordpress.org/extend/plugins/pushit/

The topic ‘Pushit plug-in using malicious code?’ is closed to new replies.

0 replies
1 participant
Last reply from: dtjb
Last activity: 16 years, 10 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics