Possible hack with 'eval' found with [PLUGIN Exploit Scanner]

  • I know there have been hacks with ‘eval’ and ‘eval(base64_decode(‘ but are there still active hacks with just ‘eval’ in PHP code? For example, I used PLUGIN Exploit Scanner and found the following results…

    wp-content/plugins/contact-form-7/scripts.js:49
    $.each(data.onSentOk, function(i, n) { eval(n) });

    wp-content/plugins/contact-form-7/scripts.js:55
    $.each(data.onSubmit, function(i, n) { eval(n) });

    wp-content/plugins/events-calendar/js/jquery.clockpick.min.js:27
    ;h2′}function divprev(a){if(a.prev().size()){eval(divtype+’div_out($obj)’);eval(divtype+’div_over($obj.prev(), e)’)}else{return false}}function divnext(a){if(a.next().size()){eval(divtype+’div_out($obj)’);eval(divtype+’div_over($obj.next(), e)’)}else{return false}}function hourtohour(a){var b=h>=12?’#hourcol1′:’#hourcol2′;$newobj=jQuery(“.CP_hour[@id$=_”+hi+”]”,b);if($newobj.size()){hourdiv_out(a);hourdiv_over($newobj,e)}else{return false}}function hourtominute(a){hourdiv_out(a);minutediv_over($(“.CP_minute:first”))}function minutetohour(a){minutediv_out(a);var b=h>=12?’#hourcol2′:’#hourcol1′;var c=jQuery(“.CP_hour[@id^=hr_”+h+”]”,b);hourdiv_over(c,e)}switch(e.keyCode){case 37:if(v){switch(f){case’m1′:return false;break;case’m2′:minutetohour(d);break;case’h1′:hourtominute(d);break;case’h2′:hourtohour(d);break}}else{divprev(d)}break;case 38:if(v){divprev(d)}else{switch(f){case’m1′:return false;break;case’m2′:minutetohour(d);break;case’h1′:hourtominute(d);break;case’h2′:hourtohour(d);break}}break;case 39:if(v){switch(f){case’m1′:minutetohour(d);break;case’m2′:return false;break;case’h1′:hourtohour(d);break;case’h2′:hourtominute(d);break}}else{divnext(d)}break;case 40:if(v){divnext(d)}else{switch(f){case’m1′:minutetohour(d);break;case’m2′:return false;break;case’h1′:hourtohour(d);break;case’h2′:hourtominute(d);break}}break;case 13:eval(divtype+’div_click($obj)’);break}retu

    wp-content/plugins/events-calendar/js/ui.datepicker.js:163
    inlineSettings[attrName] = eval(attrValue);

    wp-content/plugins/nextgen-gallery/admin/js/jquery.MultiFile.pack.js:11
    eval(function(p,a,c,k,e,r){e=function(c){return(c<

    wp-content/plugins/nextgen-gallery/admin/js/jquery.ui.tabs.pack.js:10
    eval(function(p,a,c,k,e,r){e=function(c){return(c<

    wp-content/plugins/nextgen-gallery/admin/js/swfupload.js:450
    returnValue = eval(returnString);

    wp-content/plugins/thank-me-later/tml_includes/mail_send.php:109
    $ret = @eval($php);

    Should I be worried about any of these? Is eval in ANY PHP a threat? Contact Form 7 is a popular plugin but I found eval in PHP code above even from the unpacked zip file BEFORE installing on WP.

    Thanks in advance.

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Possible hack with 'eval' found with [PLUGIN Exploit Scanner]’ is closed to new replies.