- This topic has 6 replies, 2 voices, and was last updated 4 years, 9 months ago by
.
-
Posts
-
Hello,
I started getting error messages PHP exploits in
/wp-content/plugins/gp-premium/elements/class-hooks.php
This is the code that appears in class-hooks.php<?php
/**
* This file handles the Hook Element.
*
* @package GP Premium
*/if ( ! defined( ‘ABSPATH’ ) ) {
exit; // No direct access, please.
}/**
* Execute our hook elements.
*
* @since 1.7
*/
class GeneratePress_Hook {/**
* Set our content variable.
*
* @since 1.7
* @var string The content.
*/
protected $content = ”;/**
* Set our hook/action variable.
*
* @since 1.7
* @var string The hook.
*/
protected $hook = ”;/**
* Set our custom hook variable.
*
* @since 1.7
* @var string The custom hook.
*/
protected $custom_hook = ”;/**
* Set our disable site header variable.
*
* @since 1.7
* @var boolean Whether we’re disabling the header.
*/
protected $disable_site_header = false;/**
* Set our disable footer variable.
*
* @since 1.7
* @var boolean Whether we’re disabling the footer.
*/
protected $disable_site_footer = false;/**
* Set our priority variable.
*
* @since 1.7
* @var int The hook priority.
*/
protected $priority = 10;/**
* Set our execute PHP variable.
*
* @since 1.7
* @var boolean Whether we’re executing PHP.
*/
protected $php = false;/**
* Set our execute shortcodes variable.
*
* @since 1.7
* @var boolean Whether we’re executing shortcodes.
*/
protected $shortcodes = false;/**
* Set our location variable.
*
* @since 1.7
* @var array The conditions.
*/
protected $conditional = array();/**
* Set our exclusions variable.
*
* @since 1.7
* @var array The exclusions.
*/
protected $exclude = array();/**
* Set our user condition variable.
*
* @since 1.7
* @var array The user roles.
*/
protected $users = array();/**
* Set up our class and give variables their values.
*
* @param int $post_id The post ID of the element we’re executing.
*
* @since 1.7
*/
public function __construct( $post_id ) {$this->hook = get_post_meta( $post_id, ‘_generate_hook’, true );
if ( empty( $this->hook ) ) {
return;
}$this->content = get_post_meta( $post_id, ‘_generate_element_content’, true );
if ( get_post_meta( $post_id, ‘_generate_custom_hook’, true ) ) {
$this->custom_hook = get_post_meta( $post_id, ‘_generate_custom_hook’, true );
}if ( get_post_meta( $post_id, ‘_generate_hook_disable_site_header’, true ) ) {
$this->disable_site_header = get_post_meta( $post_id, ‘_generate_hook_disable_site_header’, true );
}if ( get_post_meta( $post_id, ‘_generate_hook_disable_site_footer’, true ) ) {
$this->disable_site_footer = get_post_meta( $post_id, ‘_generate_hook_disable_site_footer’, true );
}if ( get_post_meta( $post_id, ‘_generate_hook_priority’, true ) || ‘0’ === get_post_meta( $post_id, ‘_generate_hook_priority’, true ) ) {
$this->priority = get_post_meta( $post_id, ‘_generate_hook_priority’, true );
}if ( get_post_meta( $post_id, ‘_generate_hook_execute_php’, true ) ) {
$this->php = get_post_meta( $post_id, ‘_generate_hook_execute_php’, true );
}if ( get_post_meta( $post_id, ‘_generate_hook_execute_shortcodes’, true ) ) {
$this->shortcodes = get_post_meta( $post_id, ‘_generate_hook_execute_shortcodes’, true );
}if ( get_post_meta( $post_id, ‘_generate_element_display_conditions’, true ) ) {
$this->conditional = get_post_meta( $post_id, ‘_generate_element_display_conditions’, true );
}if ( get_post_meta( $post_id, ‘_generate_element_exclude_conditions’, true ) ) {
$this->exclude = get_post_meta( $post_id, ‘_generate_element_exclude_conditions’, true );
}if ( get_post_meta( $post_id, ‘_generate_element_user_conditions’, true ) ) {
$this->users = get_post_meta( $post_id, ‘_generate_element_user_conditions’, true );
}if ( ‘custom’ === $this->hook && $this->custom_hook ) {
$this->hook = $this->custom_hook;
}$display = apply_filters( ‘generate_hook_element_display’, GeneratePress_Conditions::show_data( $this->conditional, $this->exclude, $this->users ), $post_id );
/**
* Simplify filter name.
*
* @since 2.0.0
*/
$display = apply_filters(
‘generate_element_display’,
$display,
$post_id
);if ( $display ) {
global $generate_elements;$generate_elements[ $post_id ] = array(
‘is_block_element’ => false,
‘type’ => ‘hook’,
‘id’ => $post_id,
);if ( ‘generate_header’ === $this->hook && $this->disable_site_header ) {
remove_action( ‘generate_header’, ‘generate_construct_header’ );
}if ( ‘generate_footer’ === $this->hook && $this->disable_site_footer ) {
remove_action( ‘generate_footer’, ‘generate_construct_footer’ );
add_filter( ‘generate_footer_widgets’, ‘__return_null’ );
}add_action( esc_attr( $this->hook ), array( $this, ‘execute_hook’ ), absint( $this->priority ) );
}}
/**
* Output our hook content.
*
* @since 1.7
*/
public function execute_hook() {$content = $this->content;
if ( $this->shortcodes ) {
$content = do_shortcode( $content );
}if ( $this->php && GeneratePress_Elements_Helper::should_execute_php() ) {
ob_start();
eval( ‘?>’ . $content . ‘<?php ‘ ); // phpcs:ignore — Using eval() to execute PHP.
echo ob_get_clean(); // phpcs:ignore — Escaping not necessary.
} else {
echo $content; // phpcs:ignore — Escaping not necessary.
}}
}
what could be the problem?
Thanks in advance
Line #215
eval( ‘?>’ . $content . ‘<?php ‘ ); // phpcs:ignore — Using eval() to execute PHP.what could be the problem?
Thanks in advance
Customer Support
Hi there,
what error message are you receiving ?
Or is it a security warning you’re seeing ?in WordPress Security and Repair Tool
Suspected security holes PHP exploits files
Last updated at: 2 hours ago
The following list contains suspected files with PHP exploits. <br> It is recommented to check these files, and in case you’re sure about a particular file, You are welcome to contact our support team.The Hook Element allows for PHP Execution, unless you DISALLOW_FILE_EDIT.
If an attacker gained access to your WP Admin then they could use hooks to install code.
However if an attacker has access to your WP Admin they could install their own plugins or other plugins ( such as Code Snippets ) to install code.If you’re Admin is secure ( eg. 2FA login ) then you should have no concerns.
Or you can set DISALLOW_FILE_EDIT in your wp-config to stop anyone from adding PHP in the editor.define( ‘DISALLOW_FILE_EDIT’, true );
in my wordpress wp-configThat will stop PHP from being added in the editor.
Your security plugin will still flag the Hook functions code as a potential risk. But as your config won’t allow adding PHP code in the editor, its no longer an issue.And i mentioned above, the issue only exists if your server is not secure.
And if its not secure the attacker can add code by any means
- You must be logged in to reply to this topic.
