Defender checks suspicious function

  • Resolved biskootz

    (@biskootz)


    5 years, 4 months ago

    Hi,

    I have Defender plugin installed in my web. After scanning, the plugin shown several issues as below from your plugin file: wp-crontrol/wp-crontrol.php. Just want to confirm whether these checks are false so I can safely ignore the issues.

    The function eval called at line 68 column 3, which should be avoided whenever possible.

The function extract line 87 column 4 execute using unsanitize user inputs

The function extract line 107 column 4 execute using unsanitize user inputs

The function extract line 128 column 4 execute using unsanitize user inputs

The function extract line 152 column 4 execute using unsanitize user inputs

    Thanks

    • This topic was modified 5 years, 4 months ago by biskootz.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author John Blackbourn

    (@johnbillion)

    WordPress Core Developer

    Thanks for the message.

    The call to eval only ever operates on PHP that is entered by a user who has the edit_files capability, by adding a PHP Cron Event. If a user cannot edit files, they cannot add PHP that gets passed to this call to eval.

    The calls to extract are less than ideal and I want to remove them at some point, but they are safe due to their use of the $prefix parameter and the fact that the resulting $in_* variables are validated and sanitised as necessary depending on the action being performed.

    Thread Starter biskootz

    (@biskootz)

    Thanks for the reply and explanation.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Defender checks suspicious function’ is closed to new replies.