Title: WordPress security issue – upload webscript Last modified: September 17, 2018 --- # WordPress security issue – upload webscript * Resolved [itmonitor](https://wordpress.org/support/users/itmonitor/) * (@itmonitor) * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/) * Hello, * We have a WordPress.org website hosted into a KVM. We noticed that we suffer regularly from unauthorized uploads of scrip exploits (copied below), that use the WordPress files admin-post.php and admin-ajax.php to upload those scripts. * I deleted the exploit files from the server. I set (again) the WordPress folders to 755 and files to 644. I wonder if there is anything you can do to avoid those WordPress files to be used to upload exploits into a server. * Looking forward to your reply, * Rgs * IM * Web referer URL : Local IP : xxx Web upload script user : nobody (99) Web upload script owner: xxxxxx (1001) Web upload script path : /home/xxxxxx/public_html/ wp-admin/admin-ajax.php Web upload script URL : [http://xxxxxxx/wp-admin/admin-ajax.php](http://xxxxxxx/wp-admin/admin-ajax.php) Remote IP : 205.185.123.173 FrantechSolutions Deleted : No Quarantined : No * ———– SCAN REPORT ———– TimeStamp: (/usr/sbin/cxs –nobayes –cgi –defapache nobody– doptions Mv –exploitscan –nofallback –filemax 10000 –noforce –html –mail root– options mMOLfSGchexdnwZDRru –qoptions Mv –quiet –sizemax 1000000 –smtp –ssl – summary –sversionscan –timemax 30 –nounofficial –novirusscan /tmp/20180917-015445- W59BpduidjdfatuYgCKlMwAAABg-file-2LHfFB) * ‘/tmp/20180917-015445-W59BpduidjdfatuYgCKlMwAAABg-file-2LHfFB’ Known exploit = [Fingerprint Match] [RFI Exploit [P1419]] Viewing 8 replies - 1 through 8 (of 8 total) * [Sergio Milardovich](https://wordpress.org/support/users/milardovich/) * (@milardovich) * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10695007) * Do you have a list of your active plugins you could provide us? the admin-ajax. php file is used by several plugins to send ajax requests, so it could be one of your third-party plugins sending a jQuery or ajax request to a custom method which could be unsafe. * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10695095) * Get a fresh cup of coffee, take a deep breath and carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked). When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress). * If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple. * Thread Starter [itmonitor](https://wordpress.org/support/users/itmonitor/) * (@itmonitor) * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10695178) * [@milardovich](https://wordpress.org/support/users/milardovich/) thank you. Please, is there a way I can send the plugin list to you through Private Message? * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10695234) * No there is not a way you can private message and attempting to do so is not allowed. You’re asking for help on a public forum. If you want help then you need to use the forum. * Thread Starter [itmonitor](https://wordpress.org/support/users/itmonitor/) * (@itmonitor) * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10695253) * [@anevins](https://wordpress.org/support/users/anevins/) thank you Andrew. Listing publicly the WordPress plugins installed in my sever would bring security risks. Do you have any option to let this list confidential? * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10695407) * Nope * Thread Starter [itmonitor](https://wordpress.org/support/users/itmonitor/) * (@itmonitor) * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10696265) * Thank you. Seems like there could be a vulnerability in WordPress or in one plugin that could be in use by manu WordPress.org users and bringing them potential risk (data, inforamtion, whatever). I am trying to help find out this vulnerability and eliminate it. If there is anybody from WordPress security reading this thread and to whom I can send a PM or email with my plugins list, I am ready to cooperate. Thank you. - This reply was modified 7 years, 9 months ago by [itmonitor](https://wordpress.org/support/users/itmonitor/). * [Andrew Nevins](https://wordpress.org/support/users/anevins/) * (@anevins) * WCLDN 2018 Contributor | Volunteer support * [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10696378) * There is nothing confidential or vulnerable about listing your plugins, but it matters not. You are hacked and you need to work through the recommended articles to delouse your site. Looking through infected plugins after you’ve been hacked isn’t the way to do that. * If you’ve missed my reply, here it is again: Follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked). When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress). * If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple. * You have not demonstrated an issue with WordPress core; Edit: Or in a plugin or theme. - This reply was modified 7 years, 9 months ago by [Andrew Nevins](https://wordpress.org/support/users/anevins/). Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘WordPress security issue – upload webscript’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 8 replies * 0 participants * Last reply from: [Andrew Nevins](https://wordpress.org/support/users/anevins/) * Last activity: [7 years, 9 months ago](https://wordpress.org/support/topic/wordpress-security-issue-upload-webscript/#post-10696378) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics