Title: Plugin was compromised
Last modified: March 1, 2024

---

# Plugin was compromised

 *  Resolved [lukameci](https://wordpress.org/support/users/lukameci/)
 * (@lukameci)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/)
 * We recently had a malware breach on our webpage which caused the user to be redirected
   to an ad page upon landing on our webpage. This only affected mobile devices,
   desktops did not take notice.
 * I isolated this plugin to be the culprit after disabling all the plugins and 
   enabling them one by one.
 * I think this is a case of SQL injection?
 * Access logs show the following:
 * XXX.XX.XXX.XX – – [01/Mar/2024:00:11:55 -0700] “POST /wp-json/wpgmzA/v1/markers?
   _method=get&random=/wpgmza/v1/markers/2 HTTP/1.1” 200 685 “-” “Mozilla/5.0 (Windows
   NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110
   Safari/537.3”
 * XXX.XX.XXX.XX – – [01/Mar/2024:00:11:55 -0700] “POST /wp-json/wpgmzA/v1/markers?
   _method=get&random=/wpgmza/v1/markers/1 HTTP/1.1” 500 2742 “-” “Mozilla/5.0 (
   Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110
   Safari/537.3”
 * XXX.XX.XXX.XX – – [01/Mar/2024:00:11:55 -0700] “POST /wp-json/wpgmzA/v1/markers?
   _method=get&random=/wpgmza/v1/markers/3 HTTP/1.1” 500 2736 “-” “Mozilla/5.0 (
   Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110
   Safari/537.3”
 * For now I will be disabling this plugin and if there is something else you might
   need please let me know

Viewing 8 replies - 1 through 8 (of 8 total)

 *  Thread Starter [lukameci](https://wordpress.org/support/users/lukameci/)
 * (@lukameci)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17467400)
 * Same IP makes GET requests:
   XXX.XX.XXX.XX – – [01/Mar/2024:09:10:15 -0700] “GET/
   wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/3 HTTP/1.1” 500
   2761 “[http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/3&#8221](http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/3&#8221);“
   Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
   Chrome/58.0.3029.110 Safari/537.3”
 * XXX.XX.XXX.XX – – [01/Mar/2024:09:10:15 -0700] “GET /wp-json/wpgmzA/v1/markers?
   _method=get&random=/wpgmza/v1/markers/6 HTTP/1.1” 500 2761 “[http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/6&#8221](http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/6&#8221);“
   Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
   Chrome/58.0.3029.110 Safari/537.3”
 * XXX.XX.XXX.XX – – [01/Mar/2024:09:10:15 -0700] “GET /wp-json/wpgmzA/v1/markers?
   _method=get&random=/wpgmza/v1/markers/1 HTTP/1.1” 500 2761 “[http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/1&#8221](http://DOMAIN.com/wp-json/wpgmzA/v1/markers?_method=get&random=/wpgmza/v1/markers/1&#8221);“
   Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
   Chrome/58.0.3029.110 Safari/537.3”
 *  Plugin Author [DylanAuty](https://wordpress.org/support/users/dylanauty/)
 * (@dylanauty)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17470877)
 * Hi [@lukameci](https://wordpress.org/support/users/lukameci/),
 * Thank you for getting in touch. My apologies for the trouble experienced.
 * Yes, there was a known exploit that allowed this endpoint to be exploited, and
   it was reported to us in December. We acted quickly to get patches out to secure
   the endpoints. After this we released updates which attempt to cleanup any known
   data, based on what we knew about the redirects being stored.
 * At this point in time, I can confirm that this vector is no longer accessible
   to new attacks, but it is possible that your marker data has not been cleaned
   up properly. If you are open to sharing your marker data with us via our website,
   we can help you in getting rid of any of the redirects, as well as expanding 
   our cleanup system to remove this across sites.
 * We are aware of a fatal error which is being thrown on that endpoint as it seems
   there are still scripts attempting to perform the same actions. That fatal error
   will be solved in our update which we expect to be released tomorrow.
 * Again, we’d appreciate you [reaching out to us directly](https://www.wpgmaps.com/contact-us/)
   so that we can work with you more closely in solving the issue with your existing
   markers.
 *  [johnwpc](https://wordpress.org/support/users/johnwpc/)
 * (@johnwpc)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17478724)
 * I seem to be experiencing similar issues on several sites despite updating to
   the latest plugin version. Sent details via website.
 *  Plugin Author [DylanAuty](https://wordpress.org/support/users/dylanauty/)
 * (@dylanauty)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17478940)
 * Hi [@johnwpc](https://wordpress.org/support/users/johnwpc/),
 * Thank you for sending over the details on our website. We’ll be in touch as soon
   as possible to assist.
 * For reference, this thread is also related: [https://wordpress.org/support/topic/fatal-php-error-39/](https://wordpress.org/support/topic/fatal-php-error-39/)–
   The root cause of errors being reported has been resolved, meaning the invalid
   requests (likely from a 3rd part) have been fixed.
 * We aren’t able to block these kinds of requests as the API endpoint is public,
   and is used to fetch marker data, but the sites running updated versions will
   no longer cause any fatal errors.
 * With that said, we’ll discuss this further with you via email!
 *  [rservaas](https://wordpress.org/support/users/rservaas/)
 * (@rservaas)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17484533)
 * We seem to have the same experience. When disabling the WP Google Maps plugin
   the redirects stop.
 * We see a weird http(?) link in some files; [http://affiliatetracker.io/?aff=&#8221](http://affiliatetracker.io/?aff=&#8221);.
   $id.”&affuri=”.base64_encode($link);
 * Could be that this route is compromised.
 * —
 * Edit: I guess the above is not redirect source. Found an SQL injection in the
   first entry of the **wp_wpgmza** table. After this the redirects stop and we 
   can use the plugin again. Updated the the latest version.
    -  This reply was modified 2 years, 2 months ago by [rservaas](https://wordpress.org/support/users/rservaas/).
    -  This reply was modified 2 years, 2 months ago by [rservaas](https://wordpress.org/support/users/rservaas/).
 *  Plugin Author [DylanAuty](https://wordpress.org/support/users/dylanauty/)
 * (@dylanauty)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17484743)
 * Hi [@rservaas](https://wordpress.org/support/users/rservaas/),
 * Thank you for reaching out, we do appreciate your time. The issue within the 
   code was solved some time ago, this has been confirmed in various tests since
   then.
 * However, we also released a few updates which attempt to clean/remove any already
   exploited data. Unfortunately, it’s not possible for us to anticipate every URL/
   pattern that might have been used, which means some may not have been fully cleared.
 * I noticed you mentioned that you have since resolved this, but for anyone else
   who may have a similar situation, we do encourage reaching out to us on [our website](https://www.wpgmaps.com/contact-us/),
   so that we can take a closer look.
 * We do appreciate everyone’s time and understanding in this regard.
 *  [Samuel](https://wordpress.org/support/users/samuelldrew/)
 * (@samuelldrew)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17498950)
 * The issue was the marker; they inserted scripts in the description field that
   caused the problem. I deleted the markers via myPHPadmin, updated the plugin 
   and added the markers again. Things seem okay now.
 *  Plugin Author [DylanAuty](https://wordpress.org/support/users/dylanauty/)
 * (@dylanauty)
 * [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17499396)
 * Hi [@samuelldrew](https://wordpress.org/support/users/samuelldrew/),
 * Thank you for letting us know, we do appreciate your time and insight. We have
   recently become aware of another script pattern which is affecting some users.
 * We’ve released an update which will automatically clean up marker fields which
   were compromised by previous weaknesses in the REST API endpoints.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Plugin was compromised’ is closed to new replies.

 * ![](https://ps.w.org/wp-google-maps/assets/icon-256x256.png?rev=3058363)
 * [WP Go Maps - Most Popular Map Plugin](https://wordpress.org/plugins/wp-google-maps/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-google-maps/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-google-maps/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-google-maps/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-google-maps/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-google-maps/reviews/)

 * 8 replies
 * 7 participants
 * Last reply from: [DylanAuty](https://wordpress.org/support/users/dylanauty/)
 * Last activity: [2 years, 2 months ago](https://wordpress.org/support/topic/plugin-was-compromised-2/#post-17499396)
 * Status: resolved