New symfony dependency looks dangerous

  • Resolved Paul

    (@headwall)


    1 month, 2 weeks ago

    Hi

    Since updating to version 1.36.0 we’re seeing lots of warnings from our PHP Malware scanner about a possible shell backdoor. We’ve investigated, and it’s these files:

    • addons/pro/googlesheet/lib/external/vendor-prefixed/symfony/console/Application.php
    • addons/pro/googlesheet/lib/external/vendor-prefixed/symfony/console/Cursor.php
    • addons/pro/googlesheet/lib/external/vendor-prefixed/symfony/console/Terminal.php
    • addons/pro/googlesheet/lib/external/vendor-prefixed/symfony/console/Helper/QuestionHelper.php

    Although we can configure our scanner to ignore these files, I would rather check to see if this “console” dependency is really needed in a WP back-end plugin. Can you please investigate, and hopefully remove this symfony/console dependency?

    For now, we will revert Forminator to an earlier version.

    Paul

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Kris – WPMU DEV Support

    (@wpmudevsupport13)

    Hi @headwall

    I hope you are doing well today.

    I pinged our Forminator Team to review this as soon this is possible. We will post an update here as soon as more information is available. Thank you for your patience while we look into this further.

    Kind Regards,
    Kris

    Plugin Support Kris – WPMU DEV Support

    (@wpmudevsupport13)

    Hi @headwall

    Our Forminator Team is aware of this issue and they are working on a fix. There is no ETA at the moment but the next update will contain that fix. As we have already reported this issue to developers I’m marking this thread as resolved.

    Kind Regards,
    Kris

    Plugin Support Kris – WPMU DEV Support

    (@wpmudevsupport13)

    Hi @headwall

    We released a new version 1.36.2. It should fix issues related to warnings from your PHP Malware scanner.?Please test it and let us know about the results.

    Kind Regards,
    Kris

    Thread Starter Paul

    (@headwall)

    Thanks for the update. I’ve downloaded version 1.36.2 and it now passes the tests in our PHP Malware scanner.

    Appreciated ??

Viewing 4 replies - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.