New to the community? Start here

Defender found a suspicious file

Defender says there is one suspicious code. It’s for a plugin php file.

What should I do here?

When I try to fix the error, it gives me a dark screen with nothing in it. Like some popup is trying to show but I don’t see anything.

Mon, 17 Dec 2018 20:38:26
More Defender Pro discussions
Defender Pro
  • Ash
    • Code Norris

    Hello Emmanuel

    The powerpress plugin is using preg_replace_callback() on line 3051 and 3061. preg_replace_callback() function has some security concerns, so defender detected that function.

    Here is a stackoverflow on a brief, you may read: https://stackoverflow.com/questions/7814415/preg-replace-preg-replace-callback-security-concerns?rq=1

    You may want to discuss the plugin author about this. Feel free to show them the defender report.

    [attachments are only viewable by logged-in members]

    Have a nice day!

    Cheers,

    Ash

  • Hoang Ngo
    • The Green Incsub

    Hi there,

    The combination of preg_replace_callback and create_function make it looks like a susicious script trying to run an obfuscated code, that’s why Defender catch it.

    But in your case, it seem just a false positive, so you can ignore it.

    Best regards,

    Hoang

  • Carlos
    • The Incredible Code Injector

    Hi,

    Got a response from the Powerpress team:

    I am looking into this.

    The good news is, this code is within a function called powerpress_repair_serialize(), it is only used to fix serialized content created by a very old plugin called PodPress from many many years ago. It fixes serialized content that was corrupted by the PodPress plugin. This code you are concerned about security wise would only be executed if you have had a site in the past that created podcast episodes with the PodPress plugin enabled when it had this bug.

    The link you provided explains the security risk using preg_match with /e, but it also goes on to explain that it is better to use preg_replace_callback. I did some google searches and found no other references about security issues with preg_match_callback, and the link provided is really focused to the preg_replace with the /e as being the primary security concern. Perhaps you can have your support tech from the WPMU Dev Defender plugin explain why preg_replace_callback should not be used? This may also lead to changes in WordPress core, WordPress itself uses preg_replace_callback function in many places. We will need the explanation what is wrong using the function to see if this is something we need to submit a bug ticket to the WP core team for.

  • Nithin Ramdas
    • Support Wizard

    Hi Emmanuel,

    Hope you are doing good today. :slight_smile:

    As mentioned in the previous reply, it’s more of a false positive on how preg_replace_callback function is used.

    We did follow up with the PowerPress developer regarding the above response in here:

    https://wordpress.org/support/topic/defender-found-a-suspicious-file/#post-11012364

    I hope this bring more clarity. Please do let us know if you have any further query. :slight_smile:

    Regards,

    Nithin