Wordfence Flagging file as containing malware after update to 9.0.30

  • Resolved Flexer

    (@flexer)


    10 months, 2 weeks ago

    Greetings

    After updating to Version 9.0.30 | By WP Go Maps WordFence is flagging

    Critical Problems:

    • File contains suspected malware URL: wp-content/plugins/wp-google-maps/includes/class.upgrader.php

    Filename: XXXXXX/wp-content/plugins/wp-google-maps/includes/class.upgrader.php
    File Type: Not a core, theme, or plugin file from www.remarpro.com.
    Bad URL: https://get.specialcraftbox.com/cdn/line.js%
    Details: This file contains a URL that is currently listed on Wordfence’s domain blocklist. The URL is: https://get.specialcraftbox.com/cdn/line.js%

Viewing 8 replies - 1 through 8 (of 8 total)
  • Thread Starter Flexer

    (@flexer)

    Looked at the actual file and found that this is vulnerability mitigation by WP Go Maps. WordFence the URL and is now flagging it.

    /**
    * Mitigates a specific exploit vulnerability in version 9.0.30
    *
    * Note: This function addresses the exploit issue introduced in version 9.0.28, but we are reversing the effects in 9.0.30

    Ron

    (@donniepeters)

    Getting same warning from Wordfence!!
    Uninstalling ??

    Plugin Author DylanAuty

    (@dylanauty)

    Hi @flexer & @donniepeters,

    Thank you both for bringing this to our attention. I can confirm that this is a false report, flagged by the URL being present in a mitigation function added in the last update (as mentioned by @flexer).

    The mitigation function scans the marker data for the URL and removes it from the content to prevent the link from existing anywhere within our marker data.

    We’re currently looking into ways to allow this to exist, without being flagged by WordFence, while remaining effective. However, I must reiterate the URL is only present as a security measure within our core code.

    Plugin Author DylanAuty

    (@dylanauty)

    Hi again,

    We’ve just deployed a new version which removes the blacklisted URL, while retaining the mitigation code. From our tests, this no longer causes the false-positive report from WordFence.

    Thank you again for reporting the issue. ??

    Thread Starter Flexer

    (@flexer)

    Thank you Dylan (@dylanauty) for the quick response.

    Plugin Author DylanAuty

    (@dylanauty)

    Only a pleasure, thank you for the report!

    Ron

    (@donniepeters)

    @dylanauty I question why you would release an update with the code that had been detected as malicious before you released the version with it. The Securi Blog published a post on January 10, 2024 saying that the code had been detected as far back as December 13, 2023. You released the update with the code on January 15, 2024

    https://blog.sucuri.net/2024/01/thousands-of-sites-with-popup-builder-compromised-by-balada-injector.html

    Plugin Author DylanAuty

    (@dylanauty)

    Your concern is appreciated @donniepeters – We were made aware of this asset showing up in a marker on a user’s site. We believe that to be a result of the XSS issue (patched in 9.0.28) being vulnerable on sites not fully updated.

    To mitigate any risks associated with the asset we developed a method of removing this on all sites with this update installed (9.0.30). Unfortunately, scanning/security tools detected the hostname causing those reports.

    Clearly an oversight on our part. We have rectified the issue.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Wordfence Flagging file as containing malware after update to 9.0.30’ is closed to new replies.