legacy-core.php file infected

Same infection is reported by ImunifyAV on version 9.0.35

We’re also seeing the same issue with our security system reporting malware in legacy-core.php.

We upgraded three sites with the new map version, and are getting the same reported infection error by ImunifyAV in the three cPanels. interested as well to know, like Vadim, is it a false positive or what measures need to be taken?

Same issue here… Plesk with ImunifyAV reporting it everywhere it is installed… The report shows “SMW-INJ-25795-php.phish-0”. We did the Imunify AV clean on all affected sites, the plugin continues to work normally.

• This reply was modified 8 months ago by LPZ.

The problem is this line:

1745c1745
<             return esc_attr("");
---
>             return esc_attr("https://affiliatetracker.io/?aff=".$id."&affuri=".base64_encode($link));

affiliatetracker.io does not exist. https://affiliatetrack.io/ exist. Probably imunify identified the base64_encode.

function wpgm_pro_link($link) {
    if (defined('wpgm_aff')) {
        $id = sanitize_text_field(wpgm_aff);
        if ($id && $id !== "") {
            return esc_attr("https://affiliatetracker.io/?aff=".$id."&affuri=".base64_encode($link));
        } else {
            return esc_attr($link);
        }

    } else {
        return esc_attr($link);
    }
}

I think is safe to press Clean button, as this link does not exist, so the function is actually doing nothing due wrong link. Also, not sure if the plugin really needs that to work properly. I just a way that author can get informations about your site.

Hi there,

Thank you all for bringing this to our attention, our apologies for the trouble/alarm this has caused.

The block of code being flagged is not malicious, and we believe it is being falsely flagged in this case. For the time being, you are welcome to auto-clean the function, but the team and I are working on a patch to remove this from the plugin at the moment.

The function is meant to allow affiliates to add their affiliate link and ID to links within the basic plugin, as part of our affiliate program.

With that said, as @apterix has mentioned, this is no longer relevant as the original affiliate program has since ended, and those links have become invalid. This is something we should have removed sooner, but as it is part of the legacy code base, it went unnoticed.

We apologize for the confusion and frustration this has caused. We expect to have a more well-rounded solution for this within the next day or so.

I will update this thread when the update has been released.

—

To ensure we reach everyone in this thread, I am tagging you all @apterix @mexl @dangergirl42 @stevewest15 @vadikcoma

• This reply was modified 7 months, 3 weeks ago by DylanAuty. Reason: Spelling Mistake

Hi again,

Just a quick follow up to let you all know that our latest update (9.0.36) removes that legacy code block and should resolve the issue discussed here.

Hi everyone,

Since the updates release, we’ve had quite a few confirmations that the issue is resolved. If anyone here is still experiencing issues, please do let us know so that we can assist.

In the meantime, we’ll go ahead and mark this as resolved.