Support » Plugin: WordPress Mega Menu - QuadMenu » SECURITY ISSUE

  • Today we’ve had 4 websites maliciously hacked with an injection of wp-stream.php into WP core and uploads folder. The only common denominator is QuadMenu plugin.

    Please can you look into any potential security backdoors ASAP.

Viewing 12 replies - 1 through 12 (of 12 total)
  • We have the same Problem 🙁

    I can confirm that 2.0.6 got hacked.
    I am not sure about 2.0.7 though.

    From their release log it seems that a security issue got fixed:
    * Fixed. security issues

    @aewing2021 & @cordi what versions do you use?

    Will deactivate the plugin for now.

    Thread Starter aewing2021


    I can confirm that this related to patching to 2.07 version and that the issue is resolved with the latest update as far as we can see.

    We had to do full back-up restores, although so far as we could see the injection was into the file structure as opposed to the database.

    I would urge anyone to update all their sites running QuadMenu to 2.07 immediately. The security backdoor can still be exploited even if the plugin is installed but deactivated.

    A software update should suffice and mean no deactivation is necessary.

    Hopefully, that helps anyone else reading this who has experienced this issue.

    • This reply was modified 5 months, 1 week ago by aewing2021.

    We have several websites with QuadMenu hacked (with some sort of domain redirect malware) yesterday!

    Think our site fell victim to the quad menu issue. Was going to update the Quad menu via the WP-admin site but mine looks like this: Any ideas?

    /** * Dashboard Administration Screen * * @package WordPress * @subpackage Administration */ /** Load WordPress Bootstrap */ require_once __DIR__ . '/admin.php'; /** Load WordPress dashboard API */ require_once ABSPATH . 'wp-admin/includes/dashboard.php'; wp_dashboard_setup(); wp_enqueue_script( 'dashboard' ); if ( current_user_can( 'install_plugins' ) ) { wp_enqueue_script( 'plugin-install' ); wp_enqueue_script( 'updates' ); } if ( current_user_can( 'upload_files' ) ) { wp_enqueue_script( 'media-upload' ); } add_thickbox(); if ( wp_is_mobile() ) { wp_enqueue_script( 'jquery-touch-punch' ); } $title = __( 'Dashboard' ); $parent_file = 'index.php'; $help = '
    ' . __( 'Welcome to your WordPress Dashboard! This is the screen you will see when you log in to your site, and gives you access to all the site management features of WordPress. You can get help for any screen by clicking the Help tab above the screen title.' ) . '
    '; $screen = get_current_screen(); $screen->add_help_tab( array( 'id' => 'overview', 'title' => __( 'Overview' ), 'content' => $help, ) ); // Help tabs. $help = '
    Thread Starter aewing2021


    Yes, this was the same hack @valhard – redirect malware. Our sites were hit between 12pm and 4pm UK time.

    @dougp2021 – do a backup restore before updating the plugin. If you don’t have one then do a fresh WP core install and check the uploads folder for wp-stream.php and _lcl file – ours were in the root oof the uploads folder. There was also an injection in the WP root index.php file.

    Same problem here.
    2 sites hacked.
    wp-stream.php present.
    Code injection to many files.

    Restore from backup. Update Quad Menu. Problem solved.

    I have to admit that Quad menu developers responded quickly to release an update.

    • This reply was modified 5 months, 1 week ago by Ilias Antonopoulos. Reason: wp-steam.php -> wp-stream.php

    Same here, 11 sites hacked yesterday.
    Restore the backup but hacked again this morning.
    Please confirmation that the problem is been solved.

    Guess we all were attacked almost same time. Would like to understand few things here to clear future such issues and attacks.

    1. Has the quadmenu update fixed the issue completely?
    2. How does any hacker understand which all sites uses quadmenu in there wordpress, it there some like google search or ping to check that. Coz if so then all that kind of checks needs to be blocked to somewhat save us in future.

    It might be useful to block requests to wp-stream.php to prevent future attacks.

    Exemple for Nginx proxy below :

    ## block wp-stream.php requests
    location = /wp-stream.php {
    deny all;
    location = /wp-content/uploads/wp-stream.php {
    deny all;

    Yep, same here. 4 sites hacked with the exact signature described by other user

    Moderator Steve Stern (sterndata)


    Forum Moderator & Support Team Volunteer

    As the plugin has been updated, I’m closing the topic. Please update to get the latest. If you need help cleaning a hacked site, please start your own topic in the “Fixing WordPress” section of the forums.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘SECURITY ISSUE’ is closed to new replies.