wp-felody folder

me too , I already delete this plugin temporarily. and not yet problem. “wp-felody” plugins cannot see in wordpress plugin list. it’s found in ftp plugin folder

The same thing happened to me: it infected two websites. In addition, it creates redirects in which advertising pops up. Remove the plugin from your system as soon as possible, while they resolve it. And from the File Manager, delete the wp-felody folder that is in wp-content/plugins/

Same for me.

no folder was created but i found injected encoded javascript on pop us who tried to download virus or adware (Custom js tab) with a kaspesky alerte :

Niveau de menace: élevé
Type d’objet: Fichier
Nom de l’objet: wp-felody.php
Chemin de l’objet: https://get.specialcraftbox.com/loc/g.php//wp-felody

I prefere to completely remove the plugin. all my wordpress is up to date.

Hi All,

We are sorry to hear that you are having this issue with popup builder. Could you please update Popup builder to latest version. This will fix the issue. If the issue persists, please let us know.

Regards

After updating seems this redirect adware has been resolved. Moving forward, do we still NEED this ‘wp-felody’ plug-in, or is this the problem?

Hi @rawb753

The problem was wp-felody.

That “plugin” is the one that contained a file that generated the redirects. Delete that entire folder from the server’s file manager.

In my case, not even updating the plugin to the latest version solved it. What’s more, the infection started after updating.
Therefore, I have removed this plugin from all my installations, and replaced it with another one.

And it seems terrible to me that the author has not apologized or said anything about it.

i updated the plug-in and deleted wp-felody and Wordfence found the file as critical which lead me here. Also in the plug-in go to your popup and edit and down to custom css and it had added a load of custom css code. I deleted that as well and saved and now my issue has gone after doing that.

@coxie – thanks for that addition! That was really helpful.

I was still seeing the issue after removing the malicious ‘wp-felody’ plugin. It wasn’t until I’d checked our pop-up code that we spotted the malicious CSS additions there.

The site had a one-time-only, home page pop-up, and as a result, the redirect was only happening intermittently, the first time someone went onto the home page. On next page view, the pop-up wouldn’t load and the malicious redirect CSS wasn’t triggered.

Additionally, I found that it was only happening for iPhone Safari users, so had to use BrowserStack to replicate the issue as I’m on Android & Windows devices.

Our full list of fix tasks was:

• Scan for vulnerabilities using WordFence.
• Remove the ‘wp-felody’ plugin completely.
• Check all pop-ups and remove any unexpected additional CSS/JS.
• Test using BrowserStack free version to check other device types.

Hi @joekhartley

True, on the two websites that were infected, it also only happened with iPhone and Safari clients.
Besides, even deleting and cleaning everything, the redirection still occurred, because the pages were cached. I had to clean the cache of the site and the server well.
In case this helps anyone.

Same issue, even with the Popup Builder update (4.2.6 as of 02-01-24) the infection persists. A scan and clean of all files is needed, wp-felody plugin needs to be deleted, and all additional css on all popups need to be deleted. It’s best to just to delete all old popups or replace the plugin entirely.
The malicious redirects also happen on Firefox, and not just on the homepage, but on subpages. So if your site is infected, checking the homepage for redirects in private or incognito mode is not enough, check your other pages too.

Question for support: where is the addition css for popups stored? I see malicious code in the exported xml in the meta_key sg_popup_scripts is that stored int eh database or in another file somewhere?

• This reply was modified 9 months, 4 weeks ago by kiplog. Reason: Added question for support