Title: Plugin Injected with Malware? Last modified: June 8, 2026 --- # Plugin Injected with Malware? * [bryanvandy](https://wordpress.org/support/users/bryanvandy/) * (@bryanvandy) * [1 week, 4 days ago](https://wordpress.org/support/topic/plugin-injected-with-malware/) * A client installed this on their website 2 days ago and my host had to clean the site for maleware and the infected file was in the plugin. Beware when using this, plugin author please investigate. Thank you! * CLEARED: Cleared malware from file: ./wp-content/plugins/mega-ai/mega.php Details: php.spam-seo.injector.357 Viewing 4 replies - 1 through 4 (of 4 total) * [kevingomega](https://wordpress.org/support/users/kevingomega/) * (@kevingomega) * [1 week, 3 days ago](https://wordpress.org/support/topic/plugin-injected-with-malware/#post-18933653) * Hi [@bryanvandy](https://wordpress.org/support/users/bryanvandy/) — thanks for flagging this, and sorry for the scare. We’ve investigated. * **Short version: this is a false positive from the host’s heuristic scanner, not malicious code in the MEGA AI plugin.** * `php.spam-seo.injector.357` is a _pattern-based_ ClamAV signature. It fires on code that reads HTML from the database and outputs it into the page ``. Our plugin does legitimately do that — it’s how the SEO platform injects things like verification meta tags, tracking pixels, and JSON-LD schema that you’ve approved. The scanner matches on the _shape_ of that code, not on any actual spam or malicious content. There is no `eval()`, no obfuscation, no remote code execution, and no external code loading anywhere in the plugin (we removed the self-update mechanism back in v1.6.1 for exactly this kind of compliance). You can verify the distributed code yourself against the official package at [https://wordpress.org/plugins/mega-ai/](https://wordpress.org/plugins/mega-ai/). *  That said, we want to be thorough about _your client’s specific site_, because there’s a second possibility worth ruling out: if a site is compromised through another vector (a vulnerable theme/plugin, weak admin creds, etc.), attackers commonly drop payloads into _any_ writable plugin folder — including ours. If that happened here, the file your host “cleaned” would have been modified on your server, not shipped that way by us. *  To sort out which it is, could you share **the full scan log / the exact contents your host quarantined from **`**mega.php**`? That tells us immediately whether it was a heuristic hit on our legitimate code or a real injected payload on the server. In the meantime, if you want to disable all of our head injection on the site instantly, an admin can append `?mega-safe-mode=1` to any URL — that’s our built-in emergency off switch. *  Happy to take this to email if you’d prefer: support is reachable via [lindsay@gomega.ai](https://wordpress.org/support/topic/plugin-injected-with-malware/lindsay@gomega.ai?output_format=md). Appreciate you raising it publicly so we could address it. * Thread Starter [bryanvandy](https://wordpress.org/support/users/bryanvandy/) * (@bryanvandy) * [1 week, 3 days ago](https://wordpress.org/support/topic/plugin-injected-with-malware/#post-18933677) * Thank you Kevin! I will follow up with my host to see if this was falsely marked or infected from another source. * Thread Starter [bryanvandy](https://wordpress.org/support/users/bryanvandy/) * (@bryanvandy) * [3 days ago](https://wordpress.org/support/topic/plugin-injected-with-malware/#post-18940246) * I have a pastebin provided by my host of the file contents, they didn’t have any other information: [https://pastebin.sucuri.net/aw3kmb1cgv8o](https://pastebin.sucuri.net/aw3kmb1cgv8o) * [kevingomega](https://wordpress.org/support/users/kevingomega/) * (@kevingomega) * [1 day, 20 hours ago](https://wordpress.org/support/topic/plugin-injected-with-malware/#post-18941525) * Thanks for sending that over. I pulled the pastebin and can confirm what it is. * That quarantined file is the real MEGA AI plugin (mega.php, version 2.1.1). The header, the Mega namespace, the WordPress includes, and the intent runtime are all our own published code. There’s nothing injected or foreign in what Sucuri captured. * The php.spam-seo.injector.357 detection is a heuristic, not a match against known malware. It triggers on the general pattern of a plugin reading HTML/SEO markup from the database and printing it into the page head. That’s what MEGA AI does to output meta tags, verification tags, and JSON-LD schema, and it’s the same thing Yoast, Rank Math, and All in One SEO do. The scanner is reacting to the behavior, not to anything malicious in the code. * There’s no eval() in that file, no base64_decode or gzinflate obfuscation, no remote code execution, and nothing pulling in external domains. The v2 runtime referenced at the top of the file removed the older snippet mechanism, so everything now runs through fixed, validated handlers. * If you want to be completely sure the copy on your server is untouched, compare it against the official one. Download the plugin zip from [https://wordpress.org/plugins/mega-ai/](https://wordpress.org/plugins/mega-ai/) and check your mega.php against the one in the zip (md5sum or sha256sum, or your host’s file integrity tool). If they match, the file hasn’t been modified and this is a confirmed false positive. Reinstalling the plugin from the WordPress. org directory does the same thing and gives you a clean copy either way. * I’m also happy to ask Sucuri to whitelist this for the plugin. * One thing worth checking on your end: if the scan flagged anything outside mega- ai/mega.php, like other plugins, theme files, or anything under wp-content/uploads, send me those paths. That would point to an actual compromise separate from this plugin, and I’d rather help you track that down than let this false positive bury it. Viewing 4 replies - 1 through 4 (of 4 total) You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fplugin-injected-with-malware%2F%3Foutput_format%3Dmd&locale=en_US) to reply to this topic. * ![](https://ps.w.org/mega-ai/assets/icon-128x128.png?rev=3426527) * [MEGA AI](https://wordpress.org/plugins/mega-ai/) * [Frequently Asked Questions](https://wordpress.org/plugins/mega-ai/#faq) * [Support Threads](https://wordpress.org/support/plugin/mega-ai/) * [Active Topics](https://wordpress.org/support/plugin/mega-ai/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/mega-ai/unresolved/) * [Reviews](https://wordpress.org/support/plugin/mega-ai/reviews/) * 4 replies * 2 participants * Last reply from: [kevingomega](https://wordpress.org/support/users/kevingomega/) * Last activity: [1 day, 20 hours ago](https://wordpress.org/support/topic/plugin-injected-with-malware/#post-18941525) * Status: not resolved