PHP code injection does not work after newest update

Uhm, actually not, maybe you don’t have the PHP execution option active?

Same… I downgraded to 3.2.5, I’m using php8

<?php
echo "Today: " . date( 'd-M-Y H:i:s', current_time( 'timestamp', 0 ) );
?>
<br>
<?php
echo "International: " . date( 'd-m-y H:i:s', current_time( 'timestamp', 1 ) );
?>
<br>
Renew date and time: 
<?php 
the_date();  - the_time('l'); 
?>

• This reply was modified 1 year, 3 months ago by webdeweb.

Hi, check on the plugin configuration, advanced tab, if the PHP is enabled. That option was introduced to conform with WP security standard (probably it will be removed and the ability to execute PHP moved to a special “define” on wp-config.php)

can I activate it for the whole network ?

hat option was introduced to conform with WP security standard (probably it will be removed and the ability to execute PHP moved to a special “define” on wp-config.php)

Please note that if you do that without some sort of automation or some very clear notification, sites will break.

Hi, there is an automation that enables it automatically on update, but probably it is not working, or in some systems the update code is not working/executed, I’m looking at it.

I also had this problem. You message “explaining” this issue blames the theme or plugins (“PHP is NOT allowed in your code (disabled by your theme or a plugin)”). This had me running down a rabbit hole for HOURS trying to figure out which plugin was the problem, when YOUR plugin was the problem. Even if the update had worked perfectly, this is really obnoxious. Please take the trouble to write clear messages.

Want to also add some additional information. It appears that the recent update included this new field, but you have it set it to disabled by default. (Which is causing the issues many are reporting) Would you be able to update it so its active by default?

This is a serious bug.

There should have been a warning.

PHP is used to manipulate data, and as a result, we have some cookie data for users that was set to PHP code strings.

Luckily we do most of our data cooking in dedicated plugins of our own, but we did have some items in A/B testing using this plugin and those user cookies are now polluted.

But it took us some time to track down the issue. We noticed the change in this plugin’s settings, but when we set the option it did not appear to resolve the problem. It took us some time to realize that PHP strings were now stored in cookies and being pulled back into the page environment. We have now had to implement new code to check cookies for PHP code and zero values if they contain PHP code. So we had to write net new code to undo what the change in defaults did on our site, and we have lost user data.

NEVER release a change in fundamental behavior unless you:

• DEFAULT to old behavior and make the new behavior an option
• Provide a WARNING prior to upgrade about what will change; word press provides a space for banners in the plugin list for this reason

Why the message “PHP is NOT allowed in your code (disabled by your theme or a plugin)” when it your own plugin that is disabling it. It’s bad enough to change the default so people’s sites break – but making them think this is coming from elsewhere – not your own settings – is really bad form.

Can someone educate me how to downgrade the version of the plugin, as I am having the same issue.

To enable PHP there is an option on the advanced tab.

@satollo

You need to change the error message from – PHP is NOT allowed in your code (disabled by your theme or a plugin)

to – PHP is NOT allowed in your code (go to Advanced tab to enable it)

Stop misleading us, wasting our time disabling and enabling other plugins when the solution is just a few tabs away.

This took me one day to fix, checking things I shouldn’t check on my server and wordpress, wasting my time when all I needed to do is go to advanced tab to enable it.

• This reply was modified 8 months ago by spreaditunlimited.