WPVivid Plugin File – False Positive?

I don’t think this is a false positive. The code that you posted a link to does in fact appear safe, but when I scanned that sample with my plugin it also was not detected as a known threat. This leads me to suspect that the Middleware.php file on your site is actually infected with some kind of malware injection.

Have you compared your file to the sample that you have supplied a link to here?

Have you clicked on this Middleware.php file when it came up in the scan results to see the contents of the file and highlight the potential threat in the code?

Please do this and let me know what you find. If there is a malicious code injection in that file my plugin can automatically remove it for you, thus restoring the file to it’s original state with only the intended code within it.

Thank you so much.

I requested the WPVivid plugin authors to install GOTMLS and sign in to your net to download the signature updates and do a scan. They did so on a clean, new site setup for the purpose of testing this issue. They could reproduce the issue I reported. Hence I started this thread.

However, since GOTMLS reported it as a Known Threat, I installed Wordfence and made a second scan. For some reason, Wordfence marks the site and the WPVivid Pro plugin as clean.

Apologies if this is a noob query, but is this possible to have different scan results on two separate tools?

Kind regards,

The file I have Middleware.php is from the guzzle source code and in included in both wpvivid-backup plugins as well as the popular wordpress-seo plugin and likely others as well. It is not a threat in it’s original state so I need to understand why it shows up as a threat on your site. My assumption is that it was infected on your site so I would like to see the code that is highlighted in Anti-Malware scan results and flagged as a known threat.

So I ask again: Have you clicked on this Middleware.php file when it came up in the scan results to see the contents of the file and highlight the potential threat in the code?

Can you please do this and then send me a screenshot and hover over the numbered link at the top of that windows so that it shows the names of the potential threat found in that file?

You can also email this information directly to me if you don’t want to post it on this forum:
eli AT gotmls DOT net

Hi,

Thank you so much for the guidance.

I followed your instructions and this is highlighted code:

$isLambda = getenv('AWS_LAMBDA_FUNCTION_NAME');
                $traceId = str_replace('\e', '\x1b', getenv('_X_AMZ_TRACE_ID'));

                if ($isLambda && $traceId) {
                    if (!$request->hasHeader('X-Amzn-Trace-Id')) {
                        return $handler($command, $request->withHeader(
                            'X-Amzn-Trace-Id',
                            rawurlencode(stripcslashes($traceId))
                        ));
                    }
                }
                return $handler($command, $request);
            };
        };
    }

Here’s the screenshot of the same – https://imgur.com/a/02EolL3

Could you please advise on how to respond here?

Appreciate your support

Kind regards,

Ok, something does not add up and your screenshot finally gave me a clue. As I said, I have downloaded and tested both of the wpvivid-backup plugins available on the WordPress Plugin Repository, and they both have a Middleware.php file, but they also both scan fine with no threats found. It looks like you have the Pro version and that version of the plugin has another file called Middleware.php with totally different contents then I have yet to see. Can you please send me that whole files so that I can see what this $handler function is and update the definitions if it’s safe?

Thank you,

For further investigation, I’ve sent the Pro version zip download link (latest version as of today) and the PHP file in question via email.

Appreciate your support

Kind regards,

Thank you for sending me that file, it is actually nothing at all like those files with the same name that I found in the free versions of that plugin. I was able to confirm that although they are passing a Hex encoded string to a dynamic function (a function called using a variable name), they are not using it in a malicious way so this is in fact a false positive.

I have updated my definitions for this threat so as to not include the code in this file. Thanks again for taking the time to bring this to my attention and get me the information needed to confirm and fix the issue.

Sorry, it took me a while to post a reply. But I’m relieved and happy to read this. Thank you so mu?h for taking the time to help investigate, rule out, and update the definitions.

Sincerely appreciate your support. _/\_

Kind regards,