Updraft Plus plugin Identified as a Known Security Threat

  • Resolved StuartCBrown

    (@stuartcbrown)


    8 years, 6 months ago

    Hi Eli Scheetz,

    I’ve scanned my site before and after updating the definitions yesterday. Before updating, no known security threats were found, after updating Class-UpdraftPlus.PHP has been identified as a known security threat. This surprises me as I’ve been using both plugins for a long time now. The author of UpdraftPlus was unable to shed any light on why his plugin is now being identified in this way.

    I updated definitions again today and got the same message, are you able to shed any light on this issue or suggest an appropriate course of action?

    Stuart

    https://www.ads-software.com/plugins/gotmls/

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Eli

    (@scheeeli)

    On lines 1028 and 1055 of …/plugins/updraftplus/class-updraftplus.php
    There is some poorly written HTML that is written to files using the file_put_contents function. This bad HTML looks just like the stuff that hackers inject into themes and templates.

    The current code starts with a /body tag (which is wrong) and does not have a closing anchor tag (also wrong):
    <html></body><a href="https://updraftplus.com">...</body></html>

    The code needs to be fixed on both lines to be something like this:
    <html><body><a href="https://updraftplus.com">...</a></body></html>

    Feel free to relay this to the developers of that plugin.

    Thread Starter StuartCBrown

    (@stuartcbrown)

    Hi Eli,

    Many thanks for your response, I’ll relay the message.

    Stuart Brown

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Updraft Plus plugin Identified as a Known Security Threat’ is closed to new replies.