Exact same problem here, malware? this is extremely concerning. I want to know exactly why that text is there and if anything else has been compromised
@nengineer @mikefromnz Are you using WP Engine and it’s plugin repository mirror to update the plugin by any chance?
On my WPE hosted site, this only happens if the plugin source is WP Engine’s mirror. if I change the plugin repo source to the official WordPress repo, the plugin updates without any issues.
Hi @nengineer, @saadcodes, @mikefromnz
That markup was accidentally included in one of the plugin files during the version submission process, but it was removed immediately and the corrected version was submitted again. It does not exist in the current version available in the repository.
I’m wondering how you were able to download the version containing that code, because it was corrected within a few seconds.
In any case, it is not malware. I suggest downloading the plugin again from the repository.
We will also release a new version soon, just to make sure no other users experience the same issue.
@giuse Thank you for the prompt update!
In my case, the site is hosted on WP Engine, with WordPress Update Source = Default (WP Engine’s Mirror of the WordPress.org update service – wpe-api.wpengine.com).
It would be interesting to find out how often WP Engine refreshes it’s mirror. Meanwhile, switching WordPress Update Source to WordPress.org (api.wordpress.org) seems to fix the issue.
Thank you very much @saadcodes
I think the issue with the WP Engine mirror wasn’t the refreshing frequence.
Regardless of whether the WP Engine mirror was refreshed, the plugin had already been updated with the wrong version.
What I find more interesting is how the mirror was able to retrieve the wrong version.
The process was as follows:
- The incorrect version 2.6.5, which included the markup, was submitted, while the official version was still 2.6.4.
- The incorrect package was then replaced with the correct 2.6.5 package, while the official version was still 2.6.4.
- Finally, the official version was switched to 2.6.5.
The WP Engine mirror must have retrieved the incorrect package before the second step was completed.
Or, what I think actually happened is that when the official version was switched to 2.6.5, the WordPress server was still serving the incorrect package from its cache.
@nengineer, @mikefromnz
In any case, version 2.6.6 is now available, so nobody else should encounter this issue.
@saadcodes @giuse
Yes running WP Engine and set to WP Engine mirror for the plugins.
I have since changed to the official repository in my WordPress settings, interestingly WP Engine is still delivering the 2.6.5 version