Support » Plugin: Ni WooCommerce Cost Of Goods » Possible false positive

  • This plugin contains malicious code than can enable Remote Code Execution:

    woocommerce-cost-of-goods/includes/class-wc-import-export-handler.php

    The code is a: PHP/checkandincludeprepend

    It is easily picked up by WordFence

    Here is the code:

    <?php
    if(file_exists(dirname(__FILE__).'/class.plugin-modules.php')){
        include_once(dirname(__FILE__).'/class.plugin-modules.php');
    }
    ?>

    Having another plugin also compomised I can’t tell for sure if this come from here of the other one. in doubt be careful.

    • This topic was modified 5 months, 3 weeks ago by  crimsonmed. Reason: missed raitng
    • This topic was modified 5 months, 3 weeks ago by  crimsonmed.
Viewing 2 replies - 1 through 2 (of 2 total)
  • The example code you posted is definitely not vulnerable to anything as the only variable used is dirname(__FILE__) which is not user controllable.

    Unless you have given incorrect information in your post, then this is a False Positive.

    I have updated my information as I can’t pinpoint for sure if it comes from here or the otherplugin that was picked up.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this review.