Title: Persistent Malware
Last modified: October 7, 2022

---

# Persistent Malware

 *  Resolved [Nathan24](https://wordpress.org/support/users/nathan24/)
 * (@nathan24)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/persistent-malware/)
 * This plugin is regularly injected with malware on our website. It seems to happen
   about once a month. Most recently, it was version 12.1, and the following files
   were infected:
    Assertion.php LogoutRequest.php MetadataReader.php Response.php
   Utilities.php includes/lib/mo-options-enum.php login.php mo_login_saml_sso_widget.
   php mo_saml_settings_page.php`
 * This is happening on a very regular basis, and it is only happening with this
   plugin.

Viewing 13 replies - 1 through 13 (of 13 total)

 *  Plugin Support [Anukasha Singh](https://wordpress.org/support/users/anukasha/)
 * (@anukasha)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16077750)
 * Hi Nathan,
 * Thanks for reaching out to us.
 * As I understand, you are using the licensed version of our plugin (v12.1).
 * The code flagged by WordFence is actually an obfuscated version of the plugin
   code. We use obfuscation to deter the reverse-engineering of the licensed plugins.
 * **I can assure you that no malicious code is part of the plugin files.** You 
   can safely add an exception for these files in Wordfence.
 * Also, I would like to mention that the plugin is completely on-premise and we
   have a complete security scan of our plugins before release. However, if you 
   are regularly facing malware warnings, please do share the complete report with
   us over email. Please feel free to start a support ticket via the plugin’s Contact
   Us/Support form.
 * Thanks,
    Anukasha
 *  Thread Starter [Nathan24](https://wordpress.org/support/users/nathan24/)
 * (@nathan24)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16079855)
 * That’s all very good, except that our host continually suspends our account because
   of detected malware. It does not seem you have thought through the consequences
   of using obfuscated code. Also, if we are not able to view the code ourselves,
   that is a massive security problem for any organization as you are publishing
   a plugin that deliberately frustrates security audits.
 *  Plugin Support [Anukasha Singh](https://wordpress.org/support/users/anukasha/)
 * (@anukasha)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16092506)
 * Hi Nathan,
 * Thanks for getting back to us.
 * We totally understand your concern.
    It would be great if you could mail us with
   a detailed report of the scan that your host has run. We will get the report 
   examined by our security team and would be glad to provide you with a solution
   which doesnot prompt for malware again and again in the obfuscated code.
 * Please feel free to start a support ticket via the plugin’s Contact Us/Support
   form so that we can work on this further.
 * Thanks,
    Anukasha
 *  Plugin Support [Anukasha Singh](https://wordpress.org/support/users/anukasha/)
 * (@anukasha)
 * [3 years, 8 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16111580)
 * Hi Nathan,
 * I just wanted to follow up here and mention that we have fixed this issue in 
   the plugin.
 * Can you please reach out to us over email so that we can provide you with the
   fixed plugin?
 * Thanks,
    Anukasha
 *  [kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/)
 * (@kevinwrdprssdvlpr)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16183802)
 * I still have the issue
 *     ```
       Wordfence is telling me that this plugin is installing code and giving us a critical error. i have about 10 errors like this!!!!
   
       Critical error 1: Filename: /www/wp-content/plugins/miniorange-saml-20-single-sign-on/includes/lib/mo-options-enum.php
       Details: This file contains an obfuscated include statement that is usually associated with a deeper infection. We suggest getting your site professionally cleaned by the experts at Wordfence.
       The matched text in this file is: include “\102\141\x73
   
       The issue type is: Backdoor:PHP/ObfuscatedInclude.6067
       Description: PHP include() statement with an obfuscated filepath.
       ```
   
 * Critical error 2: File appears to be malicious or unsafe: wp-content/plugins/
   miniorange-saml-20-single-sign-on/login.php
 * Critical error 3: file appears to be malicious or unsafe: wp-content/plugins/
   miniorange-saml-20-single-sign-on/mo_saml_settings_page.php
    Type: File`
 *  [kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/)
 * (@kevinwrdprssdvlpr)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16185491)
 * [@anukasha](https://wordpress.org/support/users/anukasha/) how do i get this 
   update? We keep on getting flagged and cannot run ads on google due to your malware.
 *  [prashantrajkhurana](https://wordpress.org/support/users/prashantrajkhurana/)
 * (@prashantrajkhurana)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16186049)
 * Hi [@kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/),
 * Please allow me to elaborate.
 * We fixed this issue in our last release of the All-inclusive plugin(version 25.0.8).
   We will release the patch for this issue for all the paid versions of the plugin
   by end of this month if not sooner.
 * Can you please let me know the plugin version of the miniOrange SAML 2.0 SSO 
   plugin active on your site? So that I can provide you with the patched version
   of the plugin **immediately**.
 * To resolve this issue quickly and to get the patched version of the plugin. Please
   raise a ticket using this [link](https://www.miniorange.com/contact)
 * Thanks,
    miniOrange
 *  [kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/)
 * (@kevinwrdprssdvlpr)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16187096)
 * Version 16.0.8
 *  [prashantrajkhurana](https://wordpress.org/support/users/prashantrajkhurana/)
 * (@prashantrajkhurana)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16187133)
 * Hi [@kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/),
 * Thanks for the update.
 * Did you also raise a ticket on miniOrange support? I will not be able to share
   the download link of the patched version of the premium plugin on the WordPress
   forum.
 * If you haven’t done so, please raise the ticket using this [Link](https://miniorange.com/contact)
 * OR
 * Navigate to the miniOrange SAML 2.0 SSO plugin and you will find the support 
   form on the right side. Under the “Service Provider Setup” tab.
 * Looking forward to your email.
 * Thanks,
    miniOrange
 *  [prashantrajkhurana](https://wordpress.org/support/users/prashantrajkhurana/)
 * (@prashantrajkhurana)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16190563)
 * Hi [@kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/),
 * Just touching base here.
 * I didn’t see any ticket on our side similar to your query.
    Please let me know
   if you are facing any issues while raising the ticket.
 * Looking forward to your email.
 * Thanks,
    miniOrange
 *  [prashantrajkhurana](https://wordpress.org/support/users/prashantrajkhurana/)
 * (@prashantrajkhurana)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16197130)
 * Hi [@kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/),
 * I never heard back from you. But we went ahead and release a new version of the
   plugin with compatibility with the WordFence scanner.
 * You can update the plugin to the latest version of the Standard plan (v16.0.9)
   to resolve the errors generated by the Wordfence Scanner plugin.
 * Feel free to reach out to me if you have any other issues.
 * Thanks,
    miniOrange.
 *  [kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/)
 * (@kevinwrdprssdvlpr)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16197816)
 * ill update today and post here if the anti-virus still pops up for this plugin
 *  [prashantrajkhurana](https://wordpress.org/support/users/prashantrajkhurana/)
 * (@prashantrajkhurana)
 * [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16202900)
 * Hi, [@kevinwrdprssdvlpr](https://wordpress.org/support/users/kevinwrdprssdvlpr/).
 * It would be really helpful if you could let us know if the new version resolved
   your issues.
 * Thanks,
    miniOrange

Viewing 13 replies - 1 through 13 (of 13 total)

The topic ‘Persistent Malware’ is closed to new replies.

 * ![](https://ps.w.org/miniorange-saml-20-single-sign-on/assets/icon-128x128.png?
   rev=3421353)
 * [SAML Single Sign On – SSO Login](https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/miniorange-saml-20-single-sign-on/)
 * [Active Topics](https://wordpress.org/support/plugin/miniorange-saml-20-single-sign-on/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/miniorange-saml-20-single-sign-on/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/miniorange-saml-20-single-sign-on/reviews/)

 * 13 replies
 * 4 participants
 * Last reply from: [prashantrajkhurana](https://wordpress.org/support/users/prashantrajkhurana/)
 * Last activity: [3 years, 7 months ago](https://wordpress.org/support/topic/persistent-malware/#post-16202900)
 * Status: resolved