WordPress Exploits ?! (10 posts)

  1. Bucki
    Posted 3 years ago #


    I installed a plugin calles S6 Scan and it came up with the following errors:

    ERROR 1

    Open user-edit.php file for editing
    Find the line that begins with 'wp_enqueue_script('user-profile');"
    Append the next lines with the following:

    if ( current_user_can('edit_user',$user_id ) == FALSE )
        wp_die(__( 'Forbidden' ) );



    ERROR 2

    Edit the wp-comments-post.php file
    Find the line, that begins with "/** Sets up the WordPress Environment. */"
    Prepend that line with the next code:

    if ( ! isset( $_SERVER[ "HTTP_REFERER" ] ) )
        	$referrer_url = $_SERVER[ "HTTP_REFERER" ];
        	$server_name = str_replace( "." , "\." , $_SERVER[ "HTTP_HOST" ] );	/*	Escape the dots for following regexp search */
        	$server_name = str_replace( '/' , '\/' , $server_name );	/*	Escape the '/' for following regexp search */
        	$referr_pattern = "/^((http(s)?):\/\/)?(www.)?$server_name/";
        	if ( ! preg_match( $referr_pattern, $referrer_url ) )



    Wondering if this is just "crap" and fake or is it for real!?
    Shall I be worried ... apparently it is vulnerable to security threats.

    Any suggestions?

  2. Amy Hendrix (sabreuse)

    Posted 3 years ago #

    It's crap -- don't ever use anything that asks you to edit core WP files; it leaves your installation far more vulnerable to security issues in the future because it messes with your ability to keep up with future updates.

    Beyond that, the first snippet checks that users have the permissions they already need to have to even be on that page. And the second requires that comments actually have to be coming from your site -- which can be done much more safely with something like Cookies for Comments.

    Where did you find this delightful plugin?

  3. Bucki
    Posted 3 years ago #


    The plugin can be found on WordPress Plugins called S6 Scan!
    I wanted to see if my site is open to any exploits because some site state that even 3.4.2 is vulnerable :( and dont want my site to be hacked.

    But yeh there are soooo many plugins out there, unless u know every bit of coding, otherwise ppl like me wont know what the plugin does behind the scenes :(

  4. Bucki
    Posted 3 years ago #

    Besides the coding above was provided by the S6 Scan.
    In other words, it asked me to follow the steps above!

  5. Clayton James
    Posted 3 years ago #


    Could you be kind enough to leave a link to that exact plugin so I can download it? I can't find it, and I would like to take a look at it. Thank you!

  6. Bucki
    Posted 3 years ago #

  7. Clayton James
    Posted 3 years ago #


    [edit] Just some more info for you if you didn't already see it. The support conversations for the plugin are interesting reading.


    I find this response particularly thought provoking.


  8. Bucki
    Posted 3 years ago #


    Yeh, I removed that plugin
    Just hoping it didnt do anything bad :( hmmmm

  9. Eeeh, it's one of those things which is really generally bad advice (they should be submitted 'fixes' to core), but as Amy said, they're adding a second (unneeded) layer to the code. It falls under 'Plugins I think are unnecessary and not doing it best, but to each their own.'

  10. Bucki
    Posted 3 years ago #

    Hmmmmm I dont know really but when I saw this site;

    Made me think that even 3.4.2 is not secure enough, hence why I looked up for alternative security check. hmmm

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.