Adriano G. V. Esposito

I received some days ago a similiar advertising request for a site I manage and there was inside the same hack kendraalexandra showed. As said by Samuel, the hack, if called via a http request, provides the admin’s rights to the caller. Furthermore in my malicious plugin there was another hack, called DarkShell, with which an attacker can browse the entire file system of the site.

I suspect it was also in the kendraalexandra’s malicious plugin.

Note the plugin was except the two files perfectly legitimate and working.

So I understood the following: when the plugin was installed the attacker calls a http url by which answers the first php file to obtain administrator’s prilivegese. Than calls the second php file which allows to browse the entire file system of the site.

Indeed in the theme folder I have just

template_authors.php

and

template_fullwidth.php

So it seems it is missing template_pagecomposer.php or similar

Me too…

WP 4.0.1

Sorry, wrong message!

Thank you.

Is pot file missing “Accept” and “Decline” strings or am I missing it?

I do it but I will loose all when updating JetPack…

if($show_subscribers_total && 0 < $subscribers_total[‘value’]){
?><p id=”join-subscriber-text”><?php
echo sprintf( _n( ‘Join %s other subscriber’, ‘Join %s other subscribers’, $subscribers_total[‘value’], ‘jetpack’ ), number_format_i18n($subscribers_total[‘value’]));
?></p><?php
}

Uoa! The new version do not have the global $str_key, I am right?!

Inspecting furthermore I see that at least a call to encode fails because $str_key passed to the function as $Password is empty:

// Check if key for encoding is empty
if ( ! $Password ) die ( __( "Encryption password is not set", 'captcha' ) );

But I see also the global $str_key is set right in the row 105. I am confused. Why this variable is see as empty?

Thank you, it worked to me!

Yeah.

The bigger problem was that in this line

echo "<p><?php _e( 'No post found', 'flexible-posts-widget' ); ?></p>";

php code did not work, obviously, because it was render as a string, and I noticed in the html code rendered by the browser the 2 php tags showed. Now I just go back to your default code and the html rendered is good.

Thank you anyway.

Back to the topic: I noticed I have in my already customized template file this rows echoed:

echo "<div class=\"dpe-flexible-posts no-posts\">";
echo "<p><?php _e( 'No post found', 'flexible-posts-widget' ); ?></p>";
echo "</div>";

I really dont know why… I dont remember… Anyway your original template widget.php do not show this code so it is entirely a problem of mine. Sorry ??

I already did this kind of stuff in the past. I will do and I’ll send to you the whole po/mo pair ??

Hi Dave, thanks for your help!

I did not translate the po/mo but I can translate it for you if you want.

Oh sorry, I did not understand.

You should revoke the access if your keys are no longer valid: https://gyazo.com/4492ec7ab26f67a79334dfb3b9e9201f

Strange, I just set mine…

My Client ID is in the form: number.apps.googleusercontent.com where number is the number of my account..