From reddit: http://www.reddit.com/r/wow/comments..._to_remove_it/
The people going crazy about it though are quite hilarious. I don't actually think it's a big deal but in case you're paranoid you can download the latest version (if you haven't rage-abandoned the addon already) with the code removed.So last night in LFR, a lot of people(myself included) randomly started following one person and posting random things in instance chat like 'this is elv' etc. After LFR i decided to have a look at the ElvUI code and discovered the author actually put a backdoor in it enabling her to post messages to ANY channel and execute ANY console command on behalf of ElvUI users. Below is a screenshot of the elvui core.lua:
http://imgur.com/WYVJplW
Basically the author has flagged her three characters as devAlts (see red outlined code).
The first block of blue outlined code checks for "devAlts[sender] == true" ie a devAlt is sending the command and "devAlts[myName] ~= true" ie a devAlt is NOT recieving the command then SendChatMessage(msg, channel, nil, sendTo) ie sends a chat message to any channel she wants
The second block of blue code similarly is able to execute whatever console commands she wants to force a user to run.
This is potentially very dangerous, potentially could 'kick' anyone with elvUI she wants from lfg groups, disband guilds etc. There is no need for such a backdoor and the fact devAlts are specifically excluded from being targetted by this system is dodgy. I haven't looked through the rest of the code to determine if the UI is able to access anything other than console or chat but this is really dangerous having a backdoor in a UI so many players use.
To disable this, you must goto your wow install directory\interface\addons\elvUI\core\core.lua, ctrl+F find 'Elv-ShatteredHand' and delete all three entries under devAlts so that function should now look like
local devAlts = {
}
while this doesnt disable the backdoor fully, it ensures no one is able to make use of it. I really hope in the future addon authors(and programmers in general) can refrain from placing these backdoors in their code. they serve no legitimate purpose and is generally irritating to remove