davebach

I came here looking for similar information since now iThemes Security is highlighting two vulnerabilities…. Contributor+ Stored XSS vulnerability and Local File Inclusion. Very odd and such a shame since the plugin has so many users and has been updated somewhat recently.

www.ads-software.com says this plugin has over 100,000 installs! Hopefully someone smart can take a look at this and maybe tell us all to change one line of code to secure the vulnerability until an official change can be made!?

Thanks for the update. Good luck with your personal commitments. Set up a donate link when you get your site up and running again!

Dave

I concur with my fellow WordPress users.

I’d like to see a replacement for this as well. The “next” button has not been working for some time, but at least it was still somewhat random. But unfortunately I’ve been getting this email for a few days now:

`Howdy!

Since WordPress 5.2 there is a built-in feature that detects when a plugin or theme causes a fatal error on your site, and notifies you with this automated email.

In this case, WordPress caught an error with one of your plugins, Quotes Collection.`

This happened on 3 of about 20 of my live production sites so far. The reinstall button worked. But ugh, how did that happen?

I have had a similar issue pop up. Due to a rogue plugin update recently, my allotted VPS HDD virtual space filled up overnight with a gigantic error log (ahem, Pretty Links). Consequently, I started receiving Backup Buddy errors on my websites, all of which I have traced to wfls_2fa_secrets and wfls_settings being labeled as “Unknown storage engine ‘InnoDB'” in the WF diagnostics page. I’m not sure what to do with this since I have WF installed on about 20 sites.

Thanks for the reply. I do see your point even though it may not completely align with the way I prefer. So I will no doubt turn off warnings and leave on critical alerts. I can only see my inbox getting further overloaded as I add WF to more/new sites.

The WF docs say “Wordfence sends email alerts on certain events if you have enabled the alerts in this section.” What are the other alerts that will be silenced when I turn it off?

Thanks,
Dave

Thanks for being on top of this.

Note to everyone, please donate.

Dave

I had the same issue in the last few days and was notified via google Search Console Team. I found very little information on this type of hack with a Google search for wp.service.controller.

Thanks to @ernasx and @dzemens for those plan summaries. On one of my sites that had been attacked, the damage was fairly deep. I’d like to add that I used WPMU Dev’s Defender first since it was installed. It found some files, then Wordfence found more and then GOTMLS found even more. I can’t say which is best because of the order I used them in, but one piece of software would have been waaay less time consuming. I had a few of the things others mentioned… simply-named php files in the main wp directory (the file names seem to be taken from text on the site), php files in wp-content, modified wp-config and index files and the favicon files that fake you out.

I want to patch the hole, but it’s hard to find a common denominator when you tend to use the same plugins again and again. But FOR ME the biggest similarity I was leaning toward with with the sites that got hit were that they allowed registration… but not truly open registration… they are used with S2 Member and the only sites that use wp-login.php without obscuring the login path. The first site allows registration, but only with an invite code from another plugin. The amount of invites used equaled the amount of legit users, so the hack/script seemed to get around that (11 wp.service.controller accounts). I also had a plugin that allows me to approve accounts; it did not notify me of these clandestine accounts. With the other site that got hit, you have to pay for an account, but presumably they got around that (2 wp.service.controller accounts).

That is not to say that a password was not compromised, but I’m the only admin account and the sites are 2-factor protected and I’ve done most of the things the iThemes Security plugin recommends. And of course many other good-practice site and password protections.

Anyway, I think I have the sites cleaned. I can temporarily close one site to registration, but the other paid site I can’t. So, does anyone know more about the wp.service.controller hack and how to protect against it?

This fixed the same problem for me. I suspect WP 4.7.5 broke it based on when I noticed it.

That did the trick, thanks very much.

Dave

Hi,

I just updated from the legacy version. I used to use a template that displayed the description, which was converted into what I believe would probably be the_content, but in a custom template I can only get this to work:
<?php $dlm_download->the_short_description(); ?>
not something like this:
<?php $dlm_download->the_content(); ?>

All my short descriptions are empty after the legacy conversion, so how can I display the content… I can’t find an example in the included templates.

Thanks

I am getting similar 404 errors on a site that I am not using a CDN with.

Lots of 404’s from utils/temp.

Dave

Yes, shared hosting. Turning off just database caching fixed it. Thanks.

Two additional sites on the same host have both database and object (and page and browser) caches enabled, so I’m not sure why it works on some. Nor do I remember why they are on in the first place, it was probably set it and forget it a year ago.

I have seen that minify does not work with some themes, so perhaps database is the same.

I also use iThemes Security as israa2010 mentioned, but I couldn’t say if that’s a factor since I have that on every site.