Support » Plugin: CSS Plus » Beware: adds malicious js code!

  • Do not install this plugin on your WordPress site. It adds malicious js code including links to the infamous tracking site This site tracks users everywhere they go on the internet and CSS Plus adds code to every page or post, which includes the js code to contact the site. Every page I tried to load from my site hung and waited as it tried to contact before loading. I deactivated and deleted the CC Plus plugin and the malicious js code disappeared. DO NOT USE THIS PLUGIN!!!!!

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    It adds malicious js code including links to the infamous tracking site

    That’s very serious. Do you know where in the plugin source code that happens? I haven’t yet installed this plugin.

    If you install it on a test site, use Firebug to inspect the code on the page that uses the plugin. Search for the chango name and you will see the js code immediately come up. If you then deactivate or delete the CSS Plus plugin, the js code will disappear. I wouldn’t be surprised if the plugin was sponsored by this corporate site to secretly insert their code into WordPress development. The end result is to be able to track everyone that visits a site and do it surreptitiously. This shouldn’t be allowed in WordPress plugins.

    I haven’t found where the code appears within the plugin itself, however. I would investigate further, but I consider the software to be too dangerous to have even on my test site. I don’t know what other silent tracking schemes or bots might be included within the plugin’s code.

    Plugin Author paulo4lzn


    Do can you display where you found this error, please?

    Well this is interesting. I was brave enough to again download the plugin and install it on my test site (not the live site). Amazingly, this time the javascript code did not appear on the pages. Did you remove it? Even so, this time after plugin activation, no pages or posts would load completely from my test site. I again deactivated it and removed the plugin and everything is back to working normally. Seeing that I tested the appearance of the chango js code several times–activating and deactivating the CSS Plus plugin and seeing it appear and disappear–you must have removed it from the latest downloadable version. This plugin is a nice concept that is needed in WordPress development, but I no longer trust that it doesn’t contain secret code to do other things.

    This is a serious accusation. Can you tell us if you figured out what was causing the malicious injection? Was it this plugin or was it a virus on your computer/server?

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Beware: adds malicious js code!’ is closed to new replies.