Support » Fixing WordPress » Mystery: pattern of X’s in form boxes are appearing on pages

  • Hi, really hoping someone in the community can help with this baffling issue.

    Please see screenshot here: https://www.dropbox.com/s/jsnw9szo81bvrg9/06-24-2018-1.png?dl=0

    And live demo page: https://michaelcharvet.com/uncategorized/product-review/

    That pattern of X’s within what appear to be fields are appearing on pages that have a form. For example, a WP comment form, or a Elementor form. At least that’s what I’ve seen so far. However, they are not working fields, you cannot enter data.

    The pattern flashes on screen in Firefox, but persists in Chrome.

    I have gone though all the typical troubleshooting steps over two days:

    Deactivate all plugins
    Switch to the 2017 theme
    Scan site with WordFence and Sucuri – clean
    Liquid Web hosting scanned the server – no malware or problems
    Stripped out custom CSS
    Searched the database for signature of the code (below) – no match

    Yet the pattern won’t go away.

    Sometimes it’s just one instance on a page, sometimes several instances on the page (multiple lines). I have deleted the code in the page, only to have it come back. So far, I’ve seen it on two sites that are live on my VPS server, but other sites on that server, largely using the same plugins, are fine.

    Here’s the snippet, do you recognize it?

    <div id=”ir-ext-ui” style=”color: #000000; font-size: 16px; line-height: 16px; background-color: #f7f7f7; border: 1px solid #999999; border-radius: 1px; top: 1px; left: 1px;”>
    <div class=”ir-ext-dimensions”><span class=”ir-ext-rendered” title=”Rendered image dimensions (after any scaling/resizing has been applied)”> x </span> <span class=”ir-ext-natural” title=”Natural image dimensions (without applying any scaling/resizing)”> (x) </span></div>
    <div class=”ir-ext-filesize”></div>
    </div>

    I have contacted support for GeneratePress and Elementor. They don’t have any idea and deny it’s their theme / plugin.

    It’s infuriating because I’m on a due date, trying to get a new site live. It looks bad!

    If anyone has a different troubleshooting method, or idea, please let me know. Thanks!

    • This topic was modified 5 months, 2 weeks ago by  .
    • This topic was modified 5 months, 2 weeks ago by  .

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 19 total)
  • Moderator t-p

    (@t-p)

    It may be theme/plugin conflict. Try:
    – deactivating ALL (yes all) plugins temporarily to see if this resolves the problem (plugin functions can interfere). If this works, re-activate them individually (one-by-one) to find the problematic plugin(s).
    – switching to the unedited default Theme (Twenty Seventeen, etc.) for a moment using the WP dashboard to rule out any theme-specific issue (theme functions can interfere like plugins).

    Alternately, if you can install plugins, install Health Check. On the troubleshooting tab, you can click the button to disable all plugins and change the theme for you, while you’re still logged in, without affecting normal visitors to your site.

    Hi, thanks. I’ve already run through these steps as explained in my post. Health Check has too many negative reviews, not going to chance it.

    I’ve you’ve switched to a default theme and deactivated all plugins (remember that you have to do this at the same time, not one-at-a-time) then something else is injecting that code into your site. Check for any rouge PHP files outside of your installation, or run a search through your database to see what’s there. It looks like it’s part of the posts content, so if that’s the case you’ll se eit in the editor.

    The only clue comes from the class names. “ir-ext-ui” and the other classes all look like they belong to the ExtJS system, and that would make sense with the way that the HTML code looks.

    @catacaustic Thanks, if I could only find what part of my install is using ExtJS ;-).

    Yes, agreed, seems like *something* is injecting. As far as the rouge files, I have scanned with the Sucuri and WordFence. Sucuri did find some suspicious files that are not part of the WP core, I deleted those, but no change.

    And yes, when the code is injected, it’s very easy to see in the text-mode editor, but when deleted, it comes back. So it’s being re-injected.

    So I’m wondering, is it possible that a plugin or theme installed improperly, or to put it another way, is not deactivating properly and is leaving behind some junk?

    The strange this is, I tried to replicate this on my testing site, and could not do it. It’s clean. But rather than deactivating the plugins, I actually deleting them entirely, then re-installed – no errors.

    So I’m going to try that next . . . actually deleting the plugins across the board, deleting the themes too, then re-installing.

    Do you think there’s any benefit to re-installing WP itself too? I downloaded a fresh version when I re-built this site a few weeks ago, but I suppose it could have been corrupted between then and now.

    By the way, I did a database search for various string presents in the re-appearing code, and found nothing. I’m not sure that’s definitive, but suggests the injection is coming from outside the database. Am I correct?

    I would suggest doing what you’ve said, deleting and uploading new plugins and the WordPress core files, along with the theme if possible. That should fix whatever the problem is.

    @catacaustic Thank you, I just finished that tedious process on one site, and so far, it seems good – no re-appearance of the code. I’m editing pages, using Elementor, seeing if anythin triggers a relapse. Then I’ll move on to the client site, which is the one that’s critical. Will report back.

    So far, it’s working 😉 So I would suggest for anyone that has a similar issue, consider:

    Reinstall WordPress core
    Delete themes and reinstall
    Delete plugins (retain the settings as necessary), and reinstall
    Run Sucuri + WordFence scans

    Moderator t-p

    (@t-p)

    Glad to know it’s all working 🙂

    • This reply was modified 5 months, 2 weeks ago by  t-p.
    Forest Skills

    (@forest-skills)

    Glad to see that it’s not just my sites that are being affected by this. But what is it that’s doing it??

    Forest Skills

    (@forest-skills)

    Just to add to this thread, the code only seems to be injected into the page you’re working on/saving, but it also affects woocommerce product pages as well as regular pages/blog posts.

    Yours too? I’ve still not discovered the exact source, but it has since cropped up on two more of my sites! Really a pain.

    Yesterday, it showed up on a site I hadn’t touched for a while, AFTER I updated the plugins. Maybe we can compare notes to figure this out? Hang on, I’ll post my plugins list, see if there’s common ground. Thanks.

    Moderator t-p

    (@t-p)

    @michaelnorth,

    please do not jump into other topics. If the troubleshooting already posted made no difference for you, then, as per the Forum Welcome, please post your own topic. A lot more people will see your post this way. That way you stand a good chance of getting the assistance you want.

    @sterndata Thanks for re-opening — makes much more sense than starting a new thread.

    A small update just to be clear: As @forest-skills mentioned, whenever any text box, form, or almost anything it seems is edited, or a new post / page is created, the offending code snippet is injected immediately and must be manually deleted. Editing re-injects the code. This happens site-wide, across multiples sites. That suggests a plugin is responsible since some of my sites use different themes and builders, yet they have this issue in common.

    One of the sites I was updating was clean — without this issue — then the issue appeared after updating WP, updating several plugins, and adding a few plugins.

    Here’s a current screenshot: https://www.dropbox.com/s/b3zpa2dumom1nxm/07-19-2018-2.png?dl=0

    @forest-skills Are you using any of these?

    Updraft
    Antispam Bee
    Sucuri
    Post Type Switcher
    Fast Velocity Minify
    Schema Pro
    Admin Columns

    • This reply was modified 4 months, 3 weeks ago by  .
    • This reply was modified 4 months, 3 weeks ago by  .
    • This reply was modified 4 months, 3 weeks ago by  .
    • This reply was modified 4 months, 3 weeks ago by  .
    • This reply was modified 4 months, 3 weeks ago by  .
    • This reply was modified 4 months, 3 weeks ago by  .
Viewing 15 replies - 1 through 15 (of 19 total)
  • You must be logged in to reply to this topic.