(Resolved) Adware on the dashboard

  • Michael

    (@eizzumdm)


    5 years, 8 months ago

    UPDATE: Thanks to a quick response from the plugin author, I was able to deploy the updated version of this plugin. The advertisements are contained to the plugin-specific pages and no longer appear across the rest of the admin dashboard pages.

    A recent update to this plugin started injecting adware into the admin dashboard. There are advertisements at the top of every dashboard page for ShortPixel Image Optimizer and Modula WordPress Photo Gallery. This is a violation of the WordPress Plugin Guidelines.

    I have reported this violation to plugins@wordpress.org.

    https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/#11-plugins-should-not-hijack-the-admin-dashboard

    I was alerted to this problem by site admins at my university who were confused by these advertisements and asking our support staff if they should install these plugins. (They cannot, of course. We use a dev/test/production environment and version control system, and plugins cannot be installed directly on the production server).

    • This topic was modified 5 years, 8 months ago by Jan Dembowski.
    • This topic was modified 5 years, 8 months ago by Jan Dembowski. Reason: Unlinked links
    • This topic was modified 5 years, 8 months ago by Michael. Reason: Plugin author pushed out an update to resolve the issue
Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    5 years, 8 months ago

    A recent update to this plugin started injecting adware into the admin dashboard.

    OK, I’ll bite. What are you referring to specifically? Adware is a very serious accusation.

    Thread Starter Michael

    (@eizzumdm)

    5 years, 8 months ago

    This is what I am referring to.

    https://www.dropbox.com/s/xjkfbibphmpokdj/adware.png

    I administer an enterprise content management system with thousands of users. I install a free plugin from WordPress.org to fill a specific need. I carefully vet this plugin, and then activate it across the network.

    Years later, I’m a few months behind on patching plugins on the system. I’ve kept up with security patches, but held off on bug fix updates. I apply a bunch of point updates, including one for Remote Image After Upload. I read the release notes, but I don’t test as thoroughly as I should have. A few days later I get support tickets from confused customers, wondering why there are advertisements at the top of every admin page in said content management system. “Why are there ads? Should they install this software? Was my site hacked?”

    I look at the source code and see a “riau” class. After going through the plugin list, I figure out that it is the Remote Image After Upload plugin that betrayed my trust.

    I apologize to my university colleagues who submitted the support tickets. I then have to decide between patching this plugin or removing this plugin (or visiting every site using this plug to click the close buttons on these advertisements).

    I really wouldn’t mind if the plugin author promoted his or her software on the config page for the plugin, but to hijack every page of the WordPress dashboard is unacceptable.

    Plugin Author ShortPixel

    (@shortpixel)

    5 years, 8 months ago

    @eizzumdm
    Michael, please accept our apologies on this. We made the mistake to put the ad code all over the WordPress dashboard in 2-3 plugins some 4 months ago.
    Since then we removed the ad code from all the other plugins except from “Resize Image After Upload”. We completely forgotten about removing it from this plugin as well and you’re the first person to ever bring this up.
    We thank you for that.

    We’ll try to push a plugin update later today to change the behavior of the ads.

    Thank you for your understanding and support,
    Alex

    Plugin Author ShortPixel

    (@shortpixel)

    5 years, 8 months ago

    Hello again,
    just wanted to let you know that we pushed the plugin update as promised.

    Thank you once again for the heads up!

    Alex

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘(Resolved) Adware on the dashboard’ is closed to new replies.