False positive

Thanks for posting this info. Unfortunately I cannot see the relevant parts on that transient food record to see what is actually being detected there. Can you please copy out the entire contents of that textarea and send it to me for further examination?

You can email it directly to me: eli AT gotmls DOT net

Hi,

eli@GOTMLS.NET?

?? … Yes…

I don’t like to have it typed out like that just to avoid the spam bot scrapers picking it up, but yeah, that will reach me.

Ok, thanks for sharing that data with me. There is a draft post in that transient feed data that is a transcript of “Interview With Product Lead Mark Westguard Of WS Form” in which is mentioned viagra, and that is why the record was flagged for deep scan by my plugin.

Then the scan finds various links that would not otherwise be suspicious but in conjunction with the viagra talk it ends up being marked as a know threat.

I have whitelist this record so that it is no longer matched in my latest definition update. However, I am a bit disturbed by how and when this feed content made it into the WordPress Core release, so I am going to do some more digging to get to the bottom of this and find out why the full transcript of this interview is now embedded into every new WordPress database.

Thank you for taking the time to bring this to my attention, and also for your willingness to work with me further. Providing that additional data was crucial to me understanding the extent of this issue and greatly helped me to find a quick solution.

Thank you very much for your time and work, it has been a great help. I have changed my rating, it is now 5 stars.

However, I am very concerned about your discovery, I don’t understand why there is that information about Mark Westguard in a new WP installation.

Another strange fact, out of my 16 websites, only 10 have this alarm. 6 sites did not have this code injection alarm. All of them are updated to the latest version of WP and yet 6 of them were 100% clean (no findings were reported when doing a full scan).

This worries me even more, why only some WP installations have that interview in their database. Isn’t WP pure/clean when first installed? Why only some websites have that interview?

This doesn’t make any sense to me, but WP is getting darker and darker in my mind. It would be great if you can design a plugin that actually CLEANS all of WP of crap, even in its clean install, I don’t trust WP dev team, once seen this.

Thanks for that.

To be honest I am very concerned too. I have never come across this before on any of my test sites that are all running the very latest version of WordPress. After your mention of having this issue on a completely new install of WordPress though, I decided to test that and sure enough, when I installed a newly downloaded copy of WordPress on a new site with a completely blank database this new _transient_feed_d117b5738fbd35bd8c0391cda1f2b5d9 record appeared at the end of the wp_options table with the same content. Frankly I am not sure why WordPress would load any <meta http-equiv=”content-type” content=”text/html; charset=utf-8″></meta>transient_feed record into a new database at all, but this one especially since it is over 600KB and full of articles that are not even in the wp_post, and one of which even has the work viagra in it!

I will continue to dig deeper until I find out how and why this record was included with the latest release and also see if I can persuade anyone who is authorized to change it that it doesn’t need to or shouldn’t be there.