Hi HMWP team,
We recently faced a spam injection attack on our website and because of which our Google indexing is hit. We are investigating on how all this could have happened even after we have had all the popular plugins recommended for safety installed in our setup. HMWP is one of the plugin we have installed for the same reason. On going through the table wp_hmwp_ms_intrusions being used by hmwp, we found that PHP code was saved as it i.e. unescaped. We are sharing the table with you along with email for your review. If the PHP “eval” code is saved as it in the DB, then it’s possible that when it’s called anywhere to either display the intrusions or for any other purpose, it gets executed and the code gets infected or other intended actions are taken. E.g. in the 4th row itself we see the value “@ eval (base64_decode($_POST[z0]));”
There are numerous other rows with code similar in nature. As per our team such code should either be escaped or not saved at all, moreover if hmwp was able to detect this as intrusion, why wasn’t it able to stop the execution and prevent this from happening?
Any insights from you will help us in understanding what went wrong how can we prevent this from happening in the future.
Looking forward to your reply.
Thanks