WordPress.org

Forums

CSS Plus
Beware: adds malicious js code! (7 posts)

  1. TheWatcher2
    Member
    Posted 1 year ago #

    Do not install this plugin on your WordPress site. It adds malicious js code including links to the infamous tracking site cc.chango.com. This site tracks users everywhere they go on the internet and CSS Plus adds code to every page or post, which includes the js code to contact the cc.chango.com site. Every page I tried to load from my site hung and waited as it tried to contact cc.chango.com before loading. I deactivated and deleted the CC Plus plugin and the malicious js code disappeared. DO NOT USE THIS PLUGIN!!!!!

  2. It adds malicious js code including links to the infamous tracking site cc.chango.com.

    That's very serious. Do you know where in the plugin source code that happens? I haven't yet installed this plugin.

  3. TheWatcher2
    Member
    Posted 1 year ago #

    If you install it on a test site, use Firebug to inspect the code on the page that uses the plugin. Search for the chango name and you will see the js code immediately come up. If you then deactivate or delete the CSS Plus plugin, the js code will disappear. I wouldn't be surprised if the plugin was sponsored by this corporate site to secretly insert their code into WordPress development. The end result is to be able to track everyone that visits a site and do it surreptitiously. This shouldn't be allowed in WordPress plugins.

  4. TheWatcher2
    Member
    Posted 1 year ago #

    I haven't found where the code appears within the plugin itself, however. I would investigate further, but I consider the software to be too dangerous to have even on my test site. I don't know what other silent tracking schemes or bots might be included within the plugin's code.

  5. paulo4lzn
    Member
    Plugin Author

    Posted 1 year ago #

    Hello,
    Do can you display where you found this error, please?

  6. TheWatcher2
    Member
    Posted 1 year ago #

    Well this is interesting. I was brave enough to again download the plugin and install it on my test site (not the live site). Amazingly, this time the cc.chango.com javascript code did not appear on the pages. Did you remove it? Even so, this time after plugin activation, no pages or posts would load completely from my test site. I again deactivated it and removed the plugin and everything is back to working normally. Seeing that I tested the appearance of the chango js code several times--activating and deactivating the CSS Plus plugin and seeing it appear and disappear--you must have removed it from the latest downloadable version. This plugin is a nice concept that is needed in WordPress development, but I no longer trust that it doesn't contain secret code to do other things.

  7. crazyraccoon
    Member
    Posted 11 months ago #

    This is a serious accusation. Can you tell us if you figured out what was causing the malicious injection? Was it this plugin or was it a virus on your computer/server?

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • CSS Plus
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic

Tags

No tags yet.