False positive on .xap files

Hello, thanks for the report.

I have written all the 14,318 lines of PHP code and the content of the 123 template files contained in the plugin, I know every piece of code composing the project, and I can tell by memory what a specific piece of code does. Considering this I can assure you that nothing in the plugin deletes files automatically because I have not written anything that does that; there is only one thing that can be used to delete files which is an action available in the core integrity checks panel, but it requires the approval of an administrator, the admin has to click a button before the plugin deletes anything so it is not automatic.

The files that you say are being deleted are in fact part of the WordPress 4.4.2, I do not know what they are used for though, the only thing I know is that they are Zip files and that both of them contain a Microsoft DLL (Dynamic Link Library) file as you can see below:

$ wp-includes/js/plupload/plupload.silverlight.xap
  AppManifest.xaml
  FJCore\IJG.txt
  FJCore\JAI.txt
  FJCore\License.txt
  FJCore\README.txt
  Moxie.dll
$ ./wp-includes/js/mediaelement/silverlightmediaelement.xap
  AppManifest.xaml
  SilverlightMediaElement.dll

My guess is that another program like an antivirus is running in the server where your website is being hosted, and because DLL files are blobs of data it is easy for an antivirus to confuse them with malware. Since you uninstalled the plugin I suppose the issue was resolved and the files are not being deleted anymore (even when I know the plugin is not able to do that), but I suggest you to ask your hosting provider to see if there is an antivirus running in the background that could be the actual cause of the problem.

Also, since there is no code in the plugin that can automatically delete a file without human interaction I can not say that I will fix the issue because there is no code to fix. I will have to mark this as resolved assuming that the uninstallation of the plugin helps to address the issue somehow. However, if you or your hosting provider can provide more information I can reopen this ticket and work on it again.

I continued searching information regarding these XAP files and found tens of articles on the Internet of people requesting support and asking questions because their hosting providers are flagging those files are malicious (because of the DLL files), I am pretty sure now that the Sucuri plugin has nothing to do with the deletion of those two files.

I found a commit referencing the first file “plupload.silverlight.xap”

Improve upload with plupload; plupload is a uploader and offers html5, flash, and silverlight modules to support multiple file, upload progress and chunked uploads with drag and drop funtionaliaty. With plupload, phtagr offers a chunked upload of files for supported internet browsers. Huge files like HD movies could be uploaded without changing php settings for large POST data. The progress of uploaded files are shown as well. The integration of plupload is done via backbone to play around with this gread js framework.

https://trac.phtagr.org/browser/webroot/js/plupload/plupload.silverlight.xap

They are legit files but for some reason the malware scanner that your hosting provider is using is flagging them and automatically deleting them. Please talk with their support team to address this issue.

Marking this as resolved.