Title: Plugin hacked? Last modified: October 16, 2020 --- # Plugin hacked? * Resolved [shngrdnr](https://wordpress.org/support/users/shngrdnr/) * (@shngrdnr) * [5 years, 7 months ago](https://wordpress.org/support/topic/plugin-hacked-14/) * A wordpress site I administer makes use of the insert pages plugin to pull content from other pages onto the front page, using the page slug method. * Yesterday one of the insert pages shortcodes, instead of displaying the content from a page, showed bogus content from a Chinese source. * I’ve pulled the shortcodes from the front page and set up a test page to recreate the issue (via WP’s preview). Looking at the rendered code, it seems the shortcode has been hijacked somehow – instead of displaying the intended page’s ID, a different page ID is shown. There’s no such page ID shown on the WP backend. * I’m not sure what might have happened here. From my limited knowledge, it seems that someone’s created a bogus page on the database, and then hijacked the shortcode to display that page instead. Is this a likely explanation? A Wordfence scan reports no problems on the site, and there have been no logins that are unaccounted for. Viewing 5 replies - 1 through 5 (of 5 total) * Thread Starter [shngrdnr](https://wordpress.org/support/users/shngrdnr/) * (@shngrdnr) * [5 years, 7 months ago](https://wordpress.org/support/topic/plugin-hacked-14/#post-13542573) * Update: I see that the hack appears to have been made via the Contact Form 7 plugin – Flamingo records an inbound message with the same content as shown via the Insert Page shortcode. * So, it seems someone sent a message via Contact Form 7, and then piggy-backed off the Insert Page plugin to display that message instead of the intended page. - This reply was modified 5 years, 7 months ago by [shngrdnr](https://wordpress.org/support/users/shngrdnr/). * Plugin Author [Paul Ryan](https://wordpress.org/support/users/figureone/) * (@figureone) * [5 years, 7 months ago](https://wordpress.org/support/topic/plugin-hacked-14/#post-13544354) * If you try to visit that page slug directly, which content shows? The plugin uses the core function `get_page_by_path()`, so it might be a weakness with how that function figures out what content to show. [https://developer.wordpress.org/reference/functions/get_page_by_path/](https://developer.wordpress.org/reference/functions/get_page_by_path/) * Thread Starter [shngrdnr](https://wordpress.org/support/users/shngrdnr/) * (@shngrdnr) * [5 years, 7 months ago](https://wordpress.org/support/topic/plugin-hacked-14/#post-13546348) * Using the page slug the correct content shows – but I actually think this might be the problem. The email that was showing had the same subject line as the page that was supposed to be displaying, so I think this created trouble for the plugin. * In effect, a message was sent via Contact Form 7 (and saved with Flamingo). That message had exactly the same subject line as the slug of the page being referenced by Insert Page – this, I’m guessing, resulted in the saved message being shown instead of the page. * I’m going to try switching Insert Pages to the Page ID mode instead of Page Slug and see if that solves the problem. * Thread Starter [shngrdnr](https://wordpress.org/support/users/shngrdnr/) * (@shngrdnr) * [5 years, 7 months ago](https://wordpress.org/support/topic/plugin-hacked-14/#post-13546357) * Switching to the Page ID method fixed the problem. I’m guessing as said that a crossover between the message and the page because of a shared subject line/ page title was the issue. * Thanks for the help Paul – it seems a pretty unlikely scenario but I wonder if it’s worth mentioning to users the (remote) possibility that this might happen using the Page Slug referencing approach? * Plugin Author [Paul Ryan](https://wordpress.org/support/users/figureone/) * (@figureone) * [5 years, 7 months ago](https://wordpress.org/support/topic/plugin-hacked-14/#post-13565260) * Interesting; it looks like Flamingo registers a custom post type to store the inbound messages, and that’s why `get_page_by_path()` is finding that via the slug lookup. [https://plugins.trac.wordpress.org/browser/flamingo/trunk/includes/class-inbound-message.php#L28](https://plugins.trac.wordpress.org/browser/flamingo/trunk/includes/class-inbound-message.php#L28) * For Insert Pages, we will explicitly exclude the post types that Flamingo registers, which should prevent the spammy behavior you noticed. I can’t imagine other users would ever want to insert that kind of content, so I’m not too worried about breaking functionality. [https://github.com/uhm-coe/insert-pages/commit/38fb134900c8d20390e4a59c3ade67d4fc3ff311](https://github.com/uhm-coe/insert-pages/commit/38fb134900c8d20390e4a59c3ade67d4fc3ff311) * I just released a new version (3.5.7) with this change, thanks for investigating! Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘Plugin hacked?’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/insert-pages.svg) * [Insert Pages](https://wordpress.org/plugins/insert-pages/) * [Frequently Asked Questions](https://wordpress.org/plugins/insert-pages/#faq) * [Support Threads](https://wordpress.org/support/plugin/insert-pages/) * [Active Topics](https://wordpress.org/support/plugin/insert-pages/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/insert-pages/unresolved/) * [Reviews](https://wordpress.org/support/plugin/insert-pages/reviews/) * 5 replies * 2 participants * Last reply from: [Paul Ryan](https://wordpress.org/support/users/figureone/) * Last activity: [5 years, 7 months ago](https://wordpress.org/support/topic/plugin-hacked-14/#post-13565260) * Status: resolved