Did WordPress check submitted plugin ?
This come to my mind, what are the process to get your plugin hosted on wordpress extend ? is the people at wordpress actually check the submitted plugin and make sure these plugin doesn’t consist any malicious code ?
During weekend , i happen to test some of the plugin in order to tweak some of the setting of my blog and i found this plugin – Last Year Widget which is perfectly meet my need, it show your archives post on previous year during the same period.
I thought that the plugin that i download from wordpress main site, shouldn’t have any problem, but when i using it on my sidebar, it seem like the display a bit funny, i thought is some CSS issue and planning to edit the code, guess what i found ?
<span style="visibility: hidden;"><a href="http://www.sterling-adventures.co.uk"> </a></span>
if you are not into html/web programming/web design, what it does is putting this link on your blog when you use it, but didn’t show up, you won’t see it but you are giving him free link back.Today if someone can just hide a link like this, tomorrow maybe one of the famous plugin are the reason your blog been hack !
i advice anyone that using a lot of plugin should check your source code and checking is there any link that you don’t know but is found in your source code ? on a side note WordPress Exploit Scanner is really sux because it cannot tell this plugin got problem.