legacy-core.php file infected

  • Resolved Vadim

    (@vadikcoma)


    2 years, 2 months ago

    Our antivirus ir reporting that /wp-content/plugins/wp-google-maps/legacy-core.php file is being infected with SMW-INJ-25795-php.phish-0

    Is that a false positive or we should take any measures? We are on version 9.0.33

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter Vadim

    (@vadikcoma)

    2 years, 2 months ago

    Same infection is reported by ImunifyAV on version 9.0.35

    Francisco Panis Kaseker

    (@apterix)

    2 years, 2 months ago

    The problem is this line:

    1745c1745
<             return esc_attr("");
---
>             return esc_attr("http://affiliatetracker.io/?aff=".$id."&affuri=".base64_encode($link));

    affiliatetracker.io does not exist. https://affiliatetrack.io/ exist. Probably imunify identified the base64_encode.

    function wpgm_pro_link($link) {
    if (defined('wpgm_aff')) {
        $id = sanitize_text_field(wpgm_aff);
        if ($id && $id !== "") {
            return esc_attr("http://affiliatetracker.io/?aff=".$id."&affuri=".base64_encode($link));
        } else {
            return esc_attr($link);
        }

    } else {
        return esc_attr($link);
    }
}

    I think is safe to press Clean button, as this link does not exist, so the function is actually doing nothing due wrong link. Also, not sure if the plugin really needs that to work properly. I just a way that author can get informations about your site.

    Plugin Author DylanAuty

    (@dylanauty)

    2 years, 2 months ago

    Hi there,

    Thank you all for bringing this to our attention, our apologies for the trouble/alarm this has caused.

    The block of code being flagged is not malicious, and we believe it is being falsely flagged in this case. For the time being, you are welcome to auto-clean the function, but the team and I are working on a patch to remove this from the plugin at the moment.

    The function is meant to allow affiliates to add their affiliate link and ID to links within the basic plugin, as part of our affiliate program.

    With that said, as @apterix has mentioned, this is no longer relevant as the original affiliate program has since ended, and those links have become invalid. This is something we should have removed sooner, but as it is part of the legacy code base, it went unnoticed.

    We apologize for the confusion and frustration this has caused. We expect to have a more well-rounded solution for this within the next day or so.

    I will update this thread when the update has been released.

    • This reply was modified 2 years, 2 months ago by DylanAuty. Reason: Spelling Mistake
    Plugin Author DylanAuty

    (@dylanauty)

    2 years, 2 months ago

    Hi again,

    Just a quick follow up to let you all know that our latest update (9.0.36) removes that legacy code block and should resolve the issue discussed here.

    Plugin Author DylanAuty

    (@dylanauty)

    2 years, 2 months ago

    Hi everyone,

    Since the updates release, we’ve had quite a few confirmations that the issue is resolved. If anyone here is still experiencing issues, please do let us know so that we can assist.

    In the meantime, we’ll go ahead and mark this as resolved.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘legacy-core.php file infected’ is closed to new replies.