Support » Plugin: WP Authenticity Checker » WP Authenticity Checker says plugins are malicious

  • My results as;

    Line 1523: “base64_encode( serialize( $newQPPR_Array ) )…”
    Edit:
    /quick-pagepost-redirect-plugin/page_post_redirect_plugin.php
    Line 1595: “base64_decode(substr($config_file, strlen(‘QU…”
    Edit:
    /quick-pagepost-redirect-plugin/page_post_redirect_plugin.php
    Line 17: “base64’.’_decode(‘)!==false) { // dotting the…”
    Edit:
    /stop-spammer-registrations-plugin/modules/chkexploits.php
    Line 87: “base64_encode(serialize($_POST));…”
    Edit:
    /stop-spammer-registrations-plugin/classes/kpg_ss_challenge.php
    Line 88: “base64_decode($kp));…”
    Edit:
    /stop-spammer-registrations-plugin/classes/kpg_ss_challenge.php
    Line 160: “base64_decode($kp));…”
    Edit:
    /stop-spammer-registrations-plugin/classes/kpg_ss_challenge.php
    Line 183: “base64_decode($kp));…”
    Edit:
    /stop-spammer-registrations-plugin/classes/kpg_ss_challenge.php
    Line 209: “base64_encode(serialize($_POST));…”
    Edit:
    /stop-spammer-registrations-plugin/classes/kpg_ss_challenge.php
    Line 10: “base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAAAAA…”
    Edit:
    /stop-spammer-registrations-plugin/settings/settings.php
    Line 325: “base64′.’_decode’=>’base64 decode to hide cod…”
    Edit:
    /stop-spammer-registrations-plugin/settings/kpg_ss_threat_scan.php
    Line 471: “base64′.’_decode’,…”
    Edit:
    /stop-spammer-registrations-plugin/settings/kpg_ss_threat_scan.php
    Line 282: “Base64 encoded archive file for us to import…”
    Edit:
    /mailchimp-widget/lib/mcapi.class.php
    Line 201: “base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAA…”
    Edit:
    /essential-grid/includes/global-css.class.php
    Line 2313: “base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAA…”
    Edit:
    /essential-grid/includes/item-skin.class.php
    Line 697: “base64_encode( $bearer_token_credentials );…”
    Edit:
    /essential-grid/includes/external-sources.class.php
    Line 219: “base64 encoded red image that says ‘no hotlin…”
    Edit:
    /wordpress-gallery-plugin/timthumb.php
    Line 221: “base64_decode(“R0lGODlhUAAMAIAAAP8AAP///yH5BA…”
    Edit:
    /wordpress-gallery-plugin/timthumb.php
    Line 369: “base64_encode( $bearer_token_credentials );…”
    Edit:
    /revslider/includes/external-sources.class.php
    Line 191: “base64_decode($b64);…”
    Edit:
    /broken-link-checker/idn/uctc.php
    Line 239: “base64_encode($b64).’-‘;…”
    Edit:
    /broken-link-checker/idn/uctc.php
    Line 495: “base64′,…”
    Edit:
    /contact-form-7-to-database-extension/CFDBMimeTypeExtensions.php
    Line 498: “base64′,…”
    Edit:
    /contact-form-7-to-database-extension/CFDBMimeTypeExtensions.php
    Line 1579: “base64′ =>…”
    Edit:
    /contact-form-7-to-database-extension/CFDBMimeTypeExtensions.php
    Line 209: “base64)…”
    Edit:
    /js_composer/include/autoload/vc-image-filters.php
    Line 286: “base64,’ . base64_encode( $data );…”
    Edit:
    /js_composer/include/autoload/vc-image-filters.php
    Line 246: “base64_decode( $value ) ), ENT_COMPAT, ‘UTF-8…”
    Edit:
    /js_composer/include/params/default_params.php
    Line 276: “base64_decode( preg_replace( ‘/^#E\-8_/’, ”,…”
    Edit:
    /js_composer/include/helpers/helpers_factory.php
    Line 19: “base64_decode( strip_tags( $content ) ) );…”
    Edit:
    /js_composer/include/templates/shortcodes/vc_raw_html.php
    Line 89: “base64 (this allows you to store raw js or ra…”
    Edit:
    /js_composer/include/classes/shortcodes/example.php
    Line 23: “base64_decode( strip_tags( $content ) ) );…”
    Edit:
    /js_composer/include/classes/shortcodes/vc-raw-js.php
    Line 44: “base64_decode( strip_tags( $value ) ) ), ENT_…”
    Edit:
    /js_composer/include/classes/shortcodes/vc-raw-html.php
    Line 19: “base64_encode( ‘<p>I am raw html block.<br/>C…”
    Edit:
    /js_composer/config/structure/shortcode-vc-raw-html.php
    Line 19: “base64_encode( ‘<script type=”text/javascript…”
    Edit:
    /js_composer/config/structure/shortcode-vc-raw-js.php
    Line 18: “base64_decode($hitData->fullRequest);…”
    Edit:
    /wordfence/views/waf/debug.php
    Line 73: “base64_encode($b[‘IP’]);…”
    Edit:
    /wordfence/waf/wfWAFIPBlocksController.php
    Line 273: “base64_decode($b[‘IP’]) != $ipNum) {…”
    Edit:
    /wordfence/waf/wfWAFIPBlocksController.php
    Line 393: “base64_decode(whitelistedURLParam.path))}</sp…”
    Edit:
    /wordfence/lib/menu_waf.php
    Line 395: “base64_decode(whitelistedURLParam.path))}”>…”
    Edit:
    /wordfence/lib/menu_waf.php
    Line 399: “base64_decode(whitelistedURLParam.paramKey))}…”
    Edit:
    /wordfence/lib/menu_waf.php
    Line 401: “base64_decode(whitelistedURLParam.paramKey))}…”
    Edit:
    /wordfence/lib/menu_waf.php
    Line 41: “base64…”
    Edit:
    /wordfence/lib/wfCrypt.php
    Line 43: “base64_encode($encSymKey);…”
    Edit:
    /wordfence/lib/wfCrypt.php
    Line 518: “base64_decode($actionData[‘paramKey’]);…”
    Edit:
    /wordfence/lib/wfActivityReport.php
    Line 519: “base64_decode($actionData[‘paramValue’]);…”
    Edit:
    /wordfence/lib/wfActivityReport.php
    Line 1223: “base64_encode($waf->getRequest());…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 1807: “base64_encode($IP), ‘count’ => $count, ‘block…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 1863: “base64_encode(filter_var($record[‘IP’], FILTE…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 3735: “base64_encode($rec[‘crypt_pass’]) . ‘|’;…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 3737: “base64_encode($rec[‘crypt_pass’]) . ‘|’;…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 5992: “base64’d…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 5994: “base64_encode($newWhitelistedPath) . ‘|’ . ba…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 6155: “base64_decode($_POST[‘path’]), base64_decode(…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 6382: “base64_decode($actionData[‘paramKey’]);…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 6383: “base64_decode($actionData[‘paramValue’]);…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 6448: “base64_encode($actionData[‘paramKey’]) : fals…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 6449: “base64_encode($actionData[‘paramValue’]) : fa…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 6648: “base64_encode($requestString);…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 6654: “base64_encode($requestString);…”
    Edit:
    /wordfence/lib/wordfenceClass.php
    Line 34: “base64_encode($i[‘tmplData’][‘badURL’])…”
    Edit:
    /wordfence/lib/email_newIssues.php
    Line 1690: “base64_encode($actionData[$key]);…”
    Edit:
    /wordfence/lib/wfLog.php
    Line 1706: “base64_decode($actionData[$key]);…”
    Edit:
    /wordfence/lib/wfLog.php
    Line 1437: “Base64decode($value) {…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/rules.php
    Line 1439: “base64_decode($value);…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/rules.php
    Line 112: “base64_decode($matches[1]), 2);…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/request.php
    Line 610: “base64_encode($auth[‘user’] . ‘:’ . $auth[‘pa…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/request.php
    Line 622: “base64_encode($auth[‘user’] . ‘:’ . $auth[‘pa…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/request.php
    Line 368: “base64_encode($auth[‘user’] . ‘:’ . $auth[‘pa…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/http.php
    Line 624: “base64_encode($row[$index]);…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php
    Line 644: “base64_decode($json[$index]);…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/storage/file.php
    Line 209: “base64_decode($this->getRequest()->body(‘ping…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 438: “base64_decode($encoded);…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 467: “base64_encode($payload));…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 920: “base64_encode($path) . “|” . base64_encode($p…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 923: “base64_encode($path) . “|” . base64_encode($p…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 956: “base64_encode($urlPath) . “|” . base64_encode…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 1434: “base64_decode($jsonData[‘data’][‘signature’])…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 1436: “base64_decode($jsonData[‘data’][‘rules’]),…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 1447: “base64_decode($jsonData[‘data’][‘rules’]),…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 1471: “base64_decode($jsonData[‘data’][‘signature’])…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 1473: “base64_decode($jsonData[‘data’][‘signatures’]…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 1484: “base64_decode($jsonData[‘data’][‘signatures’]…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/waf.php
    Line 420: “BASE64′,…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/parser/sqli.php
    Line 447: “BASE64′,…”
    Edit:
    /wordfence/vendor/wordfence/wf-waf/src/lib/parser/sqli.php
    Line 896: “base64_encode|base64_decode|create_function|e…”
    Edit:
    /antivirus/antivirus.php
    Line 938: “Base64 suchen */…”
    Edit:
    /antivirus/antivirus.php
    Line 940: “base64_encode(‘sergej + swetlana = love.’))….”
    Edit:
    /antivirus/antivirus.php
    Line 131: “base64_decode($result->meta_value));…”
    Edit:
    /social/social-twitter.php
    Line 235: “base64_encode(json_encode($response->body()->…”
    Edit:
    /social/social-twitter.php
    Line 1463: “base64_encode(json_encode($response->body()->…”
    Edit:
    /social/social.php
    Line 1558: “base64_encode(json_encode($response->body()->…”
    Edit:
    /social/social.php
    Line 21: “base64_decode($broadcast[‘message’])) !== fal…”
    Edit:
    /social/lib/social/controller/broadcast.php
    Line 326: “base64_encode(json_encode($result->raw))));…”
    Edit:
    /social/lib/social/service/twitter.php
    Line 471: “base64_encode(json_encode($result->raw))));…”
    Edit:
    /social/lib/social/service/facebook.php
    Line 4636: “base64_encode(json_encode($data_set));…”
    Edit:
    /sucuri-scanner/sucuri.php
    Line 4637: “Base64:’ . $message, true);…”
    Edit:
    /sucuri-scanner/sucuri.php
    Line 837: “base64 URL for the svg for use in the menu…”
    Edit:
    /wordpress-seo/inc/class-wpseo-utils.php
    Line 839: “base64 Whether or not to return base64’d outp…”
    Edit:
    /wordpress-seo/inc/class-wpseo-utils.php
    Line 843: “base64 = true ) {…”
    Edit:
    /wordpress-seo/inc/class-wpseo-utils.php
    Line 846: “base64 ) {…”
    Edit:
    /wordpress-seo/inc/class-wpseo-utils.php
    Line 847: “base64,’ . base64_encode( $svg );…”
    Edit:
    /wordpress-seo/inc/class-wpseo-utils.php
    Line 256: “base64 (numeric + alpha + alpha upper case) w…”
    Edit:
    /wordpress-seo/inc/sitemaps/class-sitemaps-cache-validator.php
    Line 134: “base64\r\n”;…”
    Edit:
    /wordpress-seo/vendor/yoast/api-libs/google/service/Google_MediaFileUpload.php
    Line 135: “base64_encode($data) . “\r\n”;…”
    Edit:
    /wordpress-seo/vendor/yoast/api-libs/google/service/Google_MediaFileUpload.php
    Line 26: “base64_encode($data);…”
    Edit:
    /wordpress-seo/vendor/yoast/api-libs/google/service/Google_Utils.php
    Line 37: “base64_decode($b64);…”
    Edit:
    /wordpress-seo/vendor/yoast/api-libs/google/service/Google_Utils.php
    STATUS: ( Malicious code found in 105 plugin files )

Viewing 2 replies - 1 through 2 (of 2 total)
  • Hi Suresh,
    I am the author of one of the plugins on your list. As you can see from the pattern of found ‘malicious’ files, they all are using base64_encode or base64_decode. This function has gotten a bad rap because malware and malicious code developers use it to hide their intent from visual inspection.

    In the case of the Quick Page Post Redirect plugin (which I initially created), it is not malicious code. In fact, I would bet that almost of of these are fine (not guaranteeing that) but are showing up a ‘possible’ malicious code because of their use of those functions.

    I think the plugin should point that out in some way as them being ‘potential’ and not immediately tag it as malicious code – unless there has been a verification of the specific code in a specific plugin being known to be malicious.

    Best of luck.
    Don

    Regarding my plugin, CFDB, you have:

    /contact-form-7-to-database-extension/CFDBMimeTypeExtensions.php
    Line 1579: “base64′ =>…”

    (and on other lines)

    This is not malicious code either. It isn’t even a call to a function like base64_decode. It looks like the scanner is just naively reporting every time is sees “base64”.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘WP Authenticity Checker says plugins are malicious’ is closed to new replies.