New to the community? Start here

[Defender Pro] Suspicious code check

Defender shows me 8 warnings for files containing suspicious code. Would you please check whether I need to ignore those warnings or delete them?

Wed, 24 Jul 2019 1:55:14
More Defender Pro discussions
Defender Pro
  • Prathamesh Palve
    • Tech Support Team Lead

    Hello Celsio,

    The following are the plugins and themes which have a potentially weaker code. A weak code does not mean that we are not safe at the moment but also does not mean that we are completely safe:

    1. woocommerce-pdf-invoices-packing-slips

    2. Worker plugin in plugins-ORG/worker/

    3. wp-time-capsule in plugins-ORG/wp-time-capsule/

    4. Themify Shoppe themes/themify-shoppe/

    I see the eval function is being called in major cases. Here is a link explaining how can eval function calling be dangerous:

    https://security.stackexchange.com/questions/179375/how-eval-in-php-can-be-dangerous-in-web-applications-security

    I suggest you contact the plugin authors and state the reference of this suspicious codes detected. They should help you by updating the needed code and new plugin update which should then resolve the issue.

    I also see the detected code has unsanitized user inputs being taken. This can be a huge risk when dealing with e-commerce sites. You read more about sanitized and unsanitized data here:

    https://www.computerhope.com/jargon/s/sanitized-data.htm

    Lastly, I see that there is an error log file which seems to be the theme log file which is present in the WordPress core i.e wp-includes. Before we count that safe, I would need to check the file. can you login to your site server using FTP and navigate to /home/metrousb/public_html/wp-includes/theme-compat/error_log

    and copy all the file contents in the text file and send it to us here to check that?

    I am looking forward to hearing from you on this. Have a great day ahead.

    Thanks,

    Prathamesh