I am trying to: my wordfence security scan is identifying files as critical issues, when I google them they seem to be related to Toolset stuff. Please advise:
Link to a page where the issue can be seen: This file may contain malicious executable code: wp-content/plugins/woocommerce-views/Class_WooCommerce_Views.php
Type: File
Issue Found July 24, 2018 3:20 pm
Critical
Ignore
Details
Filename: wp-content/plugins/woocommerce-views/Class_WooCommerce_Views.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file is a PHP executable file and contains the word "eval" (without quotes) and the word "urldecode(" (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.
------------------------------------------------------------------------------------------------------------------------------------------------------------
This file may contain malicious executable code: wp-content/plugins/wp-views/embedded/inc/wpv-condition.php
Type: File
Issue Found July 24, 2018 3:20 pm
Critical
Ignore
Details
Filename: wp-content/plugins/wp-views/embedded/inc/wpv-condition.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file is a PHP executable file and contains the word "eval" (without quotes) and the word "base64_decode(" (without quotes). The eval() function along with an encoding function like the one mentioned are commonly used by hackers to hide their code. If you know about this file you can choose to ignore it to exclude it from future scans. This file was detected because you have enabled HIGH SENSITIVITY scanning. This option is more aggressive than the usual scans, and may cause false positives.
I expected to see: no security issues
Instead, I got:
The eval requirements and statements about security are here:
https://toolset.com/toolset-requirements/
https://toolset.com/toolset-requirements/#eval-usage
I will actually now ask for a list of files, that hold this critical code.
Then, I will ask to publish that list there.
This will avoid wasting your time to put down a ticket asking us if this is a false positive or not, you will just be able to compare the files and be at ease.
Note also, that we evaluate possibilities to fully avoid the code specifically.
For now, this should be a false alarm, and you do not need to worry.
To be 100% safe, I will let a developer confirm this.
There is no usage at all of eval() in the wp-content/plugins/woocommerce-views/Class_WooCommerce_Views.php
(Actually, there is none in the whole WooCommerce Views Plugin)
What is possible is that the false alarm came from the function wcviews_clear_all_func_conditional_eval() which is not an eval() function at all.
The Views usage of eval() instead is totally safe.
We pass over eval() a string that we craft, that is not and can not be accessed by the "outer world", based on our own checks against the legacy wpv-if shortcode conditions.
Hence, this is a false alarm.
Thanks for the query thou, it's always better to be safe.
Related to the public list of such files I wanted, we are discussing this internally.
Hi, do you still need me to copy/paste the whole code in here? Its very long.
No, there's no need to post any additional code right now. Our developers are confident there is no security problem in these files, and are sure the high sensitivity of the Wordfence scan is throwing a false positive.
