Title: Latest version causing major issues with major plugins
Last modified: August 21, 2016

---

# Latest version causing major issues with major plugins

 *  Resolved [slui](https://wordpress.org/support/users/slui/)
 * (@slui)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/)
 * Hi,
 * I just installed the latest version and it is causing problems with the following
   major plugins (all latest versions):
 * 1. Backup Buddy
    2. Gravity Forms 3. Justified Image Grid
 * Wordfence has told me that all these plugins have malicious code. The previous
   version made no mention of this and now it is?
 * Need help in getting this resolved.
 * sl
 * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/)

Viewing 15 replies - 1 through 15 (of 22 total)

1 [2](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/page/2/?output_format=md)

 *  [Kevin](https://wordpress.org/support/users/kevinsaldanha/)
 * (@kevinsaldanha)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574015)
 * I have had a similar issue with my theme – based on the themify platform. It 
   detects img.php as a Severe issue. There are other files too on the Themify platform
   that are now being flagged as severe threats. None of this was happening before.
 * The plugin Updraftplus file updraftplug.php is flagged as not being a part of
   the plugin (it is the main plugin file) and hence a security issue.
 *  [Heikki Hyppänen](https://wordpress.org/support/users/mandrl/)
 * (@mandrl)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574035)
 * Same here with Gravity Forms and Backup Buddy. I think naive checking for base64
   and certain other functions is way too prone to false positives.
 *  [arcane](https://wordpress.org/support/users/arcarcane2012/)
 * (@arcarcane2012)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574084)
 * First, I should mention that perhaps I have WP installed wrong, but this is the
   first time I’ve seen behaviour like this.
 * My setup is that I have WP installed on a main domain, and then in a sub-domain.
   The subdomain is a folder within the main folder.
 * So, when scanning, the main domain reports that there are several files that 
   may have malicious executable code – in the subdomain.
 * The first thing I do before taking the site offline is to scan the subdomain 
   through it’s own installation of Wordfence.
 * *cue the sound of crickets chirping…*
    Nothing. The scan comes back clean.
 * Scan again with the main domain’s installation
    Immediately it comes back with
   all of these “infections”.
 * So, the next thing I do is hit the forums and find this post. I don’t think I’ll
   delete the files, but I will compare them to the ones in the main domain’s installation.
 * Mark, if required, I still have access set up for you.
    Thanks Tammi
 *  [tfagen](https://wordpress.org/support/users/tfagen/)
 * (@tfagen)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574087)
 * Same problem with wp-content/plugins/wp-super-cache/wp-cache.php, some woocommerce
   files and other plugins.
 *  [Chris M.](https://wordpress.org/support/users/thinkdeep/)
 * (@thinkdeep)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574093)
 * Same problem with Gravity Forms, MemberMouse, and BackWPup Pro.
 * I’m geting all kinds of “eval” and other warnings… If you look at the files though,
   you see that it was the word “evaluate” and not “eval”… It’s seems that WordFence
   is being too aggressive here.
 * Please fix this!
 *  Plugin Author [Mark Maunder](https://wordpress.org/support/users/mmaunder/)
 * (@mmaunder)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574099)
 * Thanks for the reports folks. The patterns for this detection are on our scanning
   server, so I’ve modified the algorithm. I’m going to go into a bit of detail 
   here on how it worked and now works:
 * The version we released yesterday looks for ‘eval’ and if it finds it it looks
   for any of the following without quotes:
 * ‘base64_decode’, ‘unpack’, ‘str_rot13’, ‘urldecode’
 * If one of these is found, then the file is flagged.
 * The new algorithm does the same, except we’re suffixing all matches with a single
   parentheses. So we look for eval( and then match on base64_decode(
 * This modification is now live. You don’t need to do anything to get it.
 * I’m going to leave this open and see if things improve. If not, I’ll temporarily
   disable it.
 * The reason we added this is because an arabic hacker published a method that 
   could circumvent our script detection and this will catch the new circumvention.
 * Regards,
 * Mark
    PS: If you found this helpful, please rate Wordfence 5 stars. [http://wordpress.org/plugins/wordfence/](http://wordpress.org/plugins/wordfence/)
 *  Thread Starter [slui](https://wordpress.org/support/users/slui/)
 * (@slui)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574104)
 * Hi Mark,
 * Thanks for the post. Your new algorithm has indeed fixed some of the issues. 
   The issue with Gravity Forms and Justified Image Grid has been resolved, but 
   Backup Buddy has not.
 * In fact, it has found other files to be marked as malicious within Backup Buddy.
   The files flagged with Backup Buddy seems to be the encryption scripts and the
   compression scripts.
 * I’ll be checking some other sites I have to see if it still persists.
 * sl
 *  [Chris M.](https://wordpress.org/support/users/thinkdeep/)
 * (@thinkdeep)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574105)
 * Hello WordFence Support!
 * Even after the update I am getting these things flagged (OptinMonster, a premium
   plugin).. These are only snippets, just to show where the so-called “eval” occurs:
 *     ```
       foreach ($val as $key2 => $val2) {
                           $rs .= '<member><name>' . xmlrpc_encode_entitites($key2, $GLOBALS['xmlrpc_internalencoding'], $charset_encoding) . "</name>\n";
                           //$rs.=$this->serializeval($val2);
                           $rs .= $val2->serialize($charset_encoding);
                           $rs .= "</member>\n";
                       }
       ```
   
 *     ```
       // array
                       $rs .= "<array>\n<data>\n";
                       for ($i = 0; $i < count($val); $i++) {
                           //$rs.=$this->serializeval($val[$i]);
                           $rs .= $val[$i]->serialize($charset_encoding);
                       }
       ```
   
 *     ```
       // DEPRECATED
           function serializeval($o)
           {
       ```
   
 *  Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/)
 * (@sterndata)
 * Volunteer Forum Moderator
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574107)
 * It’s flipping out on ‘eval’ in Slim Jetpack, too.
 *  [arcane](https://wordpress.org/support/users/arcarcane2012/)
 * (@arcarcane2012)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574108)
 * Thanks Mark,
 * This took the list of malicious executable code reports from 10 to 3, the ones
   still flagged are:
 * wp-admin/press-this.php – This file is a PHP executable file and contains the
   word ‘eval’ (without quotes) and the word ‘urldecode(‘ (without quotes).
 * wp-content/plugins/nextgen-gallery/products/photocrati_nextgen/modules/datamapper/
   class.datamapper_driver_base.php – This file is a PHP executable file and contains
   the word ‘eval’ (without quotes) and the word ‘base64_decode(‘ (without quotes).
 * wp-admin/includes/class-pclzip.php – This file is a PHP executable file and contains
   the word ‘eval’ (without quotes) and the word ‘unpack(‘ (without quotes)
 * And once again, as mentioned, the sub-domain scan turns up nothing, but the main
   domain scan is flagging files in the sub-domain’s WP installation.
 *  [Kevin](https://wordpress.org/support/users/kevinsaldanha/)
 * (@kevinsaldanha)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574110)
 * After the update, for Themify, it identifies the following file
 * themify/themify-utils.php
 * and still marks the warning as Severe with the message
 * This file is a PHP executable file and contains the word ‘eval’ (without quotes)
   and the word ‘urldecode(‘ (without quotes). The eval() function along with an
   encoding function like the one mentioned are commonly used by hackers to hide
   their code. If you know about this file you can choose to ignore it to exclude
   it from future scans.
 * The Updraftplus.php file has changed from a Severe to a Warning
 *  Plugin Author [Mark Maunder](https://wordpress.org/support/users/mmaunder/)
 * (@mmaunder)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574111)
 * OK guys here’s what I think we should do:
 * This new detection is very sensitive and useful if your site has been hacked.
   But it’s clearly kicking out a lot of false positives. So I’ve made a change 
   on our server that has the effect of disabling it.
 * If you could do a scan to verify it’s fixed I’d appreciate it.
 * Then I’m going to add an option to increase scan sensitivity to “high” which 
   will enable this feature. The default sensitivity will be ‘low’.
 * That’ll let us add a few other features which might yield false positives but
   which admin’s cleaning sites will love.
 * We have a fix for another issue that was introduced in 4.0.2 which needs to go
   out today, so you’ll see that feature today (scan sensitivity).
 * Let me know if you have any feedback on this in the next few minutes if you could.
   I’ll check back on this thread after making the rest of my support rounds, probably
   in 30 mins.
 * Thanks for all the help!! (Leaving this open for now)
 * Regards,
 * Mark
    PS: If you found this helpful, please rate Wordfence 5 stars. [http://wordpress.org/plugins/wordfence/](http://wordpress.org/plugins/wordfence/)
 *  Thread Starter [slui](https://wordpress.org/support/users/slui/)
 * (@slui)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574115)
 * Hi Mark,
 * I did another scan and now I have no issues to report. Thanks.
 * sl
 *  [arcane](https://wordpress.org/support/users/arcarcane2012/)
 * (@arcarcane2012)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574116)
 * Looks good on this end too.
 *  Plugin Author [Mark Maunder](https://wordpress.org/support/users/mmaunder/)
 * (@mmaunder)
 * [12 years, 3 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/#post-4574117)
 * OK thanks. As I’m writing this version 4.0.3 is being pushed out and will be 
   in the repository in a few seconds and will show up as a new version within an
   hour.
 * It contains a checkbox under scanning which enables “high sensitivity” scans.
   This reenables this feature, but we search for eval( with a parentheses on the
   end along with the other functions. It’s off by default, but it’s there if you’re
   doing a site cleaning or some other activity that needs high sensitivity.
 * I’m marking this resolved in a few minutes unless anyone has any objections.
 * Regards,
 * Mark.

Viewing 15 replies - 1 through 15 (of 22 total)

1 [2](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/page/2/?output_format=md)
[→](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/page/2/?output_format=md)

The topic ‘Latest version causing major issues with major plugins’ is closed to 
new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [justified image grid](https://wordpress.org/support/topic-tag/justified-image-grid/)

 * 22 replies
 * 14 participants
 * Last reply from: [Cel Martin](https://wordpress.org/support/users/cel-martin/)
 * Last activity: [11 years, 7 months ago](https://wordpress.org/support/topic/latest-version-causing-major-issues-with-major-plugins/page/2/#post-4574298)
 * Status: resolved