Sites infected after update

Hi,
first of all that script is not getting added by the plugin and the plugin has been extensively tested across many websites before actually publishing it to the world. I have not seen this on any website. Beside feel free to download the plugin code and search for the script you are seeing to see if there is any trace of that script anywhere in the plugin code.

I will highly recommend you to run some more tests to dig deeper to see exactly where that code is getting added or by what. I can tell you with certainty that this plugin’s code has no such nonsense in it but you can also download the plugin code and run a search by yourself.

After deactivating the plugin, and scanning with various scanners, as well as studying the code, no infections were found. If you say it’s clean, I’ll activate the plugins and see what happens. As you can see from the script code, it seems that this may have been done because of the enabled feature (Allow notifications from other blogs (notifications and backlinks) for new posts). Similar to spam, but nowhere (it was not reflected in the records). I admit that someone found a vulnerability in your plugin, but this is just a thought. Let’s see what will happen next. Thanks

Allow notifications from other blogs (notifications and backlinks) for new posts

– That’s a WP feature and not a plugin feature

I admit that someone found a vulnerability in your plugin, but this is just a thought. Let’s see what will happen next.

– Well, with this plugin active you can run a search at the server level (command line) to see where the code is being added from.

As I said, I’ve tested the plugin across many sites and did not face any issues like these even once. Also if there is any vulnerability like you say, then organizations like WPScan would have already reported it as they actively monitor all open-source plugins.

Привет! У меня такая же ситуация. После обновления плагина Super Page Cache for Cloudflare появился этот скрипт. После деинсталяции или отката на предыдущую версию плагина эта заставка исчезает

Well, I google translated the above texts and it seems people are saying the issue is coming form swwetalert2 script which is the only third party script present on the site. I will update the sweetalert script to the latest version and sent you guys a link soon. Please download the plugin build from there and use that. But before installing, make sure you delete the plugin from the site and then install this build so that there is no old plugin residue present.

Well, turns out this is not malware but a proper attack. ?????♂? Link: https://github.com/sweetalert2/sweetalert2/issues/2552
I honestly have no words. Give me some time to recompile the code without this malware embedded by the devs as a sign of protest and release an update.

• This reply was modified 2 years ago by iSaumya.

Can you all please download and use this build of the plugin and confirm if the problem is resolved with this build? Once you confirm I will prioritize the release of v4.7.2 update with this fix.

P.S.: I honestly had no idea that an open-source library as popular as sweetAlert2 can have political malware officially added to it like this. This is truly not a healthy thing considering the libraries are used across so many different systems.

I guess this is not going to be removed by them anytime soon until this whole Russia mess is over. But then again this is the first time I have seen an Official Verified malware by the creator. ?????♂?

Anyways, download and use the above-mentioned build and let me know.

@isaumya

sweetalert JS library maliciousness to russian sites/users is confirmed long ago on russian support forum.
It is not the first malware targeted on russian sites or/and users, but maybe one of the first widely used 3rd party libraries which introduced that kind of issue.

@po64
давайте тут без политики,политоты и прочих нетехнических вещей, не относящихся непосредственно к проблеме.
И уж тем более, что этот скрипт написан не автором, а третьей стороной. Автор вон не в курсе, т.к. малварь работает только на .ru сайтах

Hi @fierevere,
thanks for the info. I was totally unaware of it until I looked at the source code of the latest sweetAlert2 library after seeing this thread. As I do not follow Russian forums, I had no idea about it. Moreover I honestly never thought that anyways can create a protestwar like this. As open-source codes and politics are two separate things. This is truly disheartening.

Anyways, let’s wait for @silasveta2012 & @po64 to reply back after using the new build link given above and once they confirm that the issue no longer exists with that build will push v4.7.2.

https://github.com/sweetalert2/sweetalert2/blob/642b9b6ace11561fbe27a684f315716829860417/src/SweetAlert.js#L235

thats the code, if you still need it.

Thank you for healthy vision on this problem.
Using power of OpenSource for propaganda is one of the worst thing we can see last times.

Thanks, but I switched my sites to a third party cache plugin and wasted quite a lot of resources. Perhaps tomorrow my test site will be updated in cloudflare, and I will install it. I think by then someone will already test it.

Installed on a test site, there is no splash screen. Thanks for the correction

Thanks for the testing. Will push the update tomorrow morning.

Thank you @silasveta2012 & @po64 for testing the build. I’ve now pushed v4.7.2 with this fix and you won’t be seeing this issue again.

I’m resolving this thread now.