WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] W3-total-cache readme file still malware (6 posts)

  1. robguyy
    Member
    Posted 1 year ago #

    I've seen several references to the W3 total cache malware problem being fixed.

    Baloney.

    I just downloaded the latest plugin files directly from the WordPress Plugin directory on WordPress.org's own server, and the W3 readme .html file contains a link to a site identified by Google as malware.

    I found the malware link using WordFence, just after doing a malware scan, and the results were that WordFence found a link in that readme file (I will not post the name of the link file here, in this space). If anyone finds the link in the readme.html file, and then cuts and pastes the link into a web browser, they are presented with an immediate: "Something's not right here" malware notice from Google.

    My solution: Delete the readme.html file.

    Honestly, doesn't anybody check these things before plugins are put in the repository? This is the latest version of this plugin, and the link's presence and ultimate Web destination are undeniable.

    How it got there is best left up to better detectives than I am.

  2. There are 156 URLs in that plugins current readme.txt file (you do mean the .txt file, right?), have you tried contacting the plugin author directly and let him know which one(s) has a problem?

    http://www.w3-edge.com/contact/

    That may be a more productive solution.

  3. robguyy
    Member
    Posted 1 year ago #

    It's obvious you didn't read the post. There is no reason to leave security behind to push out a plug in. You'd also see from my post that I did find a link.

    Don't you think WordPress should be more receptive to a report of a security issue, rather than take a postion of, "My shoes don't stink?".

    Let me help support by giving the link that could have been sent offline. Here is the link that is still a link to malware, and will be malware until Google quits intercepting people trying to go there.

    [ Moderated. Thanks for disclosing that responsibly. ]

    I think I'm done with trying to talk to deaf people.

  4. I'm sorry about that! Looking closer now.

    I've seen several references to the W3 total cache malware problem being fixed.

    Okay.

    and the W3 readme .html file contains a link to a site identified by Google as malware.

    Got it.

    My solution: Delete the readme.html file.

    Oh, the readme.html file. Sorry, where's that? I found lots of index.html files, one readme.txt file but not one readme.html file in the zip for 0.9.2.4.

    That's not a very good solution.

    Did you read my post? We all take security very seriously here. If you've found a link within any of the plugin files that refers to a Bad Place™ then you did the right thing by not sharing the link.

    But if you really want to be productive then please inform the plugin author. I am very sure he'll take that report seriously and you'd be accomplishing something to the benefit of everyone.

    That's what I meant by

    have you tried contacting the plugin author directly and let him know which one(s) has a problem?

    It's your call, and you should do as you please. But be aware, my shoes don't stink.

  5. robguyy
    Member
    Posted 1 year ago #

    It's the readme.txt. If you read it, you'll see it.

  6. Thanks. I've already taken that info, used the contact link, and received a response back. They'll do what they need to do now.

Topic Closed

This topic has been closed to new replies.

About this Topic