vSlider plugin injecting hidden code into page footers

**Ryan** · 06-11-2010, 08:33 AM

A client of mine asked me to help them install the following plugin:
http://wordpress.org/extend/plugins/vslider/

I quickly discovered this plugin contains a few intentional nasties and should not be used:

PHP Code:

 <?php

function vSlider_link() { ?>
<noscript><a href="http://www.vibethemes.com/" target="_blank" title="wordpress themes">Vibe Themes</a></noscript>
<?php }

// other code here

add_action('wp_footer', 'vSlider_link');

?>

That code injects a link into your footer. However it only shows up when you have javascript turned off, hence no one has probably noticed yet.

Just posting this here in case any of you Taverner's happen to use the plugin.

**williamsba** · 06-11-2010, 08:39 AM

Wow, that's a really shady technique. I'll share with @mark_r, and I'm sure he'll remove the plugin from the WP.org directory because of this.

**Kim** · 06-11-2010, 08:52 AM

This was reported on the wordpress.org forum 5 months ago, and the plugin's still in the repo? http://wordpress.org/support/topic/347001

And that exact issue is listed in their FAQ on wordpress.org. How did this one get accepted into the repo in the first place?

**conorp** · 06-11-2010, 08:55 AM

Read the Faqs
http://wordpress.org/extend/plugins/vslider/faq/

This plugin injects a hidden link into the footer. It's unusable until it's fixed.

It is a link to the author site wrapped in noscript tag like most traffic tracking services does. If it was a theme you would have no problem with a footer link but if it�s a plugin why is a different story?

**williamsba** · 06-11-2010, 08:56 AM

The requirements for plugin inclusion state any links have to be opt-in, not opt-out which is the case here. http://wordpress.org/extend/plugins/about/

**Ryan** · 06-11-2010, 08:58 AM

I've emailed him via plugins@wordpress dot org already, but if you have a faster way of tracking him down that would be great :)

**Ipstenu** · 06-11-2010, 09:01 AM

To the Read the FAQ comment, you should too because of this:
http://wordpress.org/extend/plugins/about/

There are only a few restrictions
[...]
4. The plugin must not embed external links on the public site (like a "powered by" link) without explicitly asking the user's permission.
[...]

**Ryan** · 06-11-2010, 09:05 AM

Originally Posted by Ipstenu

Perhaps because of this:
http://wordpress.org/extend/plugins/about/

Perhaps what?

Not sure what you are referring to there as the link you posted states that you aren't allowed to embed external links without asking permission.

**Ipstenu** · 06-11-2010, 09:45 AM

I was replying to this post and my PC hung up a moment so... that came out weird... *sigh*

Point I was trying to make is this: You cannot tell someone 'read the faq, that's why and we're covered.' if you, in return, aren't reading and complying to the OVERALL faq.

**conorp** · 06-11-2010, 09:54 AM

Originally Posted by Ipstenu

I was replying to this post and my PC hung up a moment so... that came out weird... *sigh*

Point I was trying to make is this: You cannot tell someone 'read the faq, that's why and we're covered.' if you, in return, aren't reading and complying to the OVERALL faq.

I'm actually against this plugin btw.

I was just showing that they actually admit to it, compared to many who just chuck them in the footer.

Still should be pulled from the repo though.

Thread: vSlider plugin injecting hidden code into page footers

LinkBack

Thread Tools

Display

vSlider plugin injecting hidden code into page footers

Posting Permissions