Title: Found Database Injections – NCTC7 “<script*settimeout(
Last modified: February 6, 2026

---

# Found Database Injections – NCTC7 “<script*settimeout(

 *  [madukdiver](https://wordpress.org/support/users/madukdiver/)
 * (@madukdiver)
 * [4 months ago](https://wordpress.org/support/topic/found-database-injections-nctc7-scriptsettimeout/)
 * I did my routine monthly scan of my site today and had the following warning 
   come up…
 *     ```wp-block-code
       Found 2 Database Injections1 NCTC7 "<script*settimeout(" in wpcode(publish):"xxxxxxxxxxxx":1 NCTC7 "<script*settimeout(" in XXXXXXoptions:wpcode_snippets":595101.1
       ```
   
 * But these both relate to the same code snippet I wrote myself, that does use 
   the setTimeout function
 *     ```wp-block-code
       setTimeout(function() { // give a little time for the option to update before page reload    window.location.reload(); // refresh the page}, 2000);
       ```
   
 * Any advice how to prevent these from flagging up?

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [3 months, 2 weeks ago](https://wordpress.org/support/topic/found-database-injections-nctc7-scriptsettimeout/#post-18827665)
 * In this case ,since you know that scripts found in the database are intentional,
   I would suggest that you simply whitelist each of those code snippets the next
   time they are found in the DB scan. Then they should not come up again unless
   they are altered, in which case you can review the code again to make sure the
   the change was intentional and then whitelist the new code changes again.
 *  Thread Starter [madukdiver](https://wordpress.org/support/users/madukdiver/)
 * (@madukdiver)
 * [3 months, 2 weeks ago](https://wordpress.org/support/topic/found-database-injections-nctc7-scriptsettimeout/#post-18830837)
 * Thanks Eli,
 * I’d be happy with the whitelist approach but I don’t see that option when I re-
   run the scan. It shows the two known injections but I do not see a button or 
   other option to white list. How do I do that?
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [3 months, 2 weeks ago](https://wordpress.org/support/topic/found-database-injections-nctc7-scriptsettimeout/#post-18830886)
 * Sorry for not specifying how to do that in my last reply… If I had then I might
   have realized that this option is not available in your case because these are
   listed as database injections and only files can be whitelisted, not DB records.
 * Not the best solution but you could just uncheck “database injections” under **
   What to look for**, but then the scan might miss some real DB injection if there
   ever are any.
 * Can I ask why you are putting this script timeout to refresh the page in a database
   record in the first place and not putting more securely into a script file that
   is included in the code?
 * Maybe there is a better way to code this so that it does not appear as a threat.
 *  Thread Starter [madukdiver](https://wordpress.org/support/users/madukdiver/)
 * (@madukdiver)
 * [3 months, 2 weeks ago](https://wordpress.org/support/topic/found-database-injections-nctc7-scriptsettimeout/#post-18830940)
 * Thanks for confirming. I’ve sent you an email with a copy of the script so you
   can see why I’m using the setTimeout call.
 *  Plugin Author [Eli](https://wordpress.org/support/users/scheeeli/)
 * (@scheeeli)
 * [3 months, 2 weeks ago](https://wordpress.org/support/topic/found-database-injections-nctc7-scriptsettimeout/#post-18831149)
 * Thanks for sending me this code. I see where you are call in this JS timeout 
   in the admin_footer hooked function, but I guess my real questions was: why are
   you putting all this code into the DB?
 * It is not uncommon for DB entries that contain code to be manipulated by hacker
   to execute malicious code snippets, that is why WPCode Snippets can be so dangerous.
   While there is no direct exploit that I am aware of within WPCode itself, I have
   know many instances of hacks utilize WPCode Snippets to execute they malicious
   payload. Maybe they used other vulnerabilities to get their bad code into the
   DB (which is sometimes easier than injecting executable code into php files) 
   but any code recorded in the database would not be executable or dangerous with
   a plugin like WPCode to eval and run those code snippets.
 * So, getting back to my original line of questioning: Would you be able to put
   all this PHP code into a file, like in mu-plugins or something like that so that
   it’s not executed from within your DB? I feel like that would be more secure 
   overall anyway.

Viewing 5 replies - 1 through 5 (of 5 total)

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Ffound-database-injections-nctc7-scriptsettimeout%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/gotmls/assets/icon-256x256.png?rev=1001824)
 * [Anti-Malware Security and Brute-Force Firewall](https://wordpress.org/plugins/gotmls/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/gotmls/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/gotmls/)
 * [Active Topics](https://wordpress.org/support/plugin/gotmls/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/gotmls/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/gotmls/reviews/)

 * 6 replies
 * 2 participants
 * Last reply from: [Eli](https://wordpress.org/support/users/scheeeli/)
 * Last activity: [3 months, 2 weeks ago](https://wordpress.org/support/topic/found-database-injections-nctc7-scriptsettimeout/#post-18831149)
 * Status: not resolved