False Positive on Termageddon plugin

Thanks for reporting this to me. I have confirmed that this is in fact a False Positive, and I will be whitelisting it ASAP.

In case you (or the developers) want to know why it was flagged, it was the usage of a variable function ($result) called inside a condition that was testing a $_REQUEST parameter. I can see now that those conditions are not always malicious even though it is a common pattern among malicious injections. What makes this particular usage of a variable function safe is that the $result() function was declared inside the Class Function that calls it, so scope is limited, and the variable function is not passed by the unrelated $_REQUEST parameter being validated in the surrounding condition.

I’m not sure why the developers chose to use a variable function like $result = function(… when they could have just declared the function properly, and there is always the potential to open up a security vulnerability if there is any chance that the variable can be altered before it is called, but in this case I can see no threat here so I will update my definitions to allow for this usage.

Thanks again for your post. I have just updated my definitions to exclude this False Positive.

Please download the latest definition (NB34u) to confirm that this file is no longer flagged as a Known Threat.

Thanks, Eli!