Security vulnerability | WordPress.org

Resolved sydneymoyer
(@sydneymoyer)

9 years, 7 months ago

I use Vaultpress for added security on my WP site, and it’s telling me that the Query Wrangler plugin has some suspicious code on line 210:

eval( stripslashes( $post['import-query'] ) );

The message from Vaultpress says “This code pattern is often used to execute unauthorized programs on your server. The code in these files needs to be reviewed, and possibly cleaned.”

Is this code part of the plugin? Is it a security threat for me or others? How would I clean it?

Thanks for your help!

https://wordpress.org/plugins/query-wrangler/

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Jonathan Daggerhart
(@daggerhart)

9 years, 7 months ago

Hi sydney,

The code you posted is part of the plugin and is protected from being accessed in multiple ways. It is not a security concern.

That said, the WordPress community hates eval(), so I’ll look into changing this to a json based import/export in the future.

Thanks for the heads up about VaultPress reporting this.
Jonathan

Plugin Author Jonathan Daggerhart
(@daggerhart)

9 years, 4 months ago

Hi sydney,

The new version (1.5.41) now uses josn for import & export. This should avoid any security scanner concerns.

Let me know if you run into any other issues,
Jonathan

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Security vulnerability’ is closed to new replies.

Tags

suspicious code

2 replies
2 participants
Last reply from: Jonathan Daggerhart
Last activity: 9 years, 4 months ago
Status: resolved