WP Jobs Plugin – log4j
-
Dear all,
we are using WP Job Manager 1.35.2 and WP 5.8.3. Our security privacy expert now scanned our company site and detected a log4j vulnerability on our url:
https://www.[company].de/index.php/jobs/
The result is:
Parameters:
————–GET: lang=${${lOwER:jn}${u pper:-di:}${LOwEr:- dn}${LOwEr:s:}${LOw eR:-//}${:- subdomain}.domain}————–
Evidence:
————–
Injecting the payload ${${lOwER:jn}${upper:-di:}${LOwEr:-dn}${LOwEr:s:}${LOweR:-//}${:-
subdomain}.domain} in the parameter lang triggered a DNS lookup to one of our DNS
loggers. The payload is the obfuscated equivalent of ${jndi:dns://subdomain.domain} ,
which will trigger a trigger a DNS query to subdomain.domain via JNDI lookups in Log4j.
————–So my question is: Is that a false positive? Afaik WP uses PHP and not Java… so in my opinion it cannot be that our WP-site and the plugin is affected by log4j!?
-
So what can it be other
There are other possible variants, you will have to find/figure that yourself,
but it cannot be Wp Job manager plugin, nor WordPress itself, nor other plugin or theme which use only PHP code server-side.Do you have any access log analyzers, frameworks or components? Does the hoster use them? They are first candidates. It is not WP and does not directly belong to your website, maybe you can ask your hoster too.
Hi @rabu78,
Thanks for reporting the issue.
log4jis a data logging package for the Java platform. The code for WP Job Manager does not use Java, the plugin is written mostly in PHP.Since the vulnerability does not affect WP Job Manager plugin I am going to close this thread now.
Please feel free to reach out if you have any questions.
Best,
The topic ‘WP Jobs Plugin – log4j’ is closed to new replies.
