Background of the issue:
I am trying to deploy websites on Alibaba Cloud servers. Recently, Alibaba Cloud reported that many websites have WebShell. The issue is related to files in the wp-content/plugins/sitepress-multilingual-cms/vendor/otgs/installer/includes/utilities/FP/Logic.php and wp-content/plugins/otgs-installer-plugin/vendor/otgs/installer/includes/utilities/FP/Logic.php with MD5: 5889f0565aee3c571662e180e21c44bb.
Symptoms:
Alibaba Cloud reported Trojan files with malicious behavior tags such as uncertain value defense bypass, branch defense bypass, and arbitrary PHP code execution.
Languages: English (English )German (Deutsch )French (Français )
Timezone: Europe/Zagreb (GMT+01:00)
Hi,
Thank you for contacting WPML support!
I am checking this with our 2nd tier. Apart from our the above screenshots, is there maybe additional info on the exact code parts that are reported as being malicious?
Can you please update what's the status about this? It's been a month, and we keep receiving warning from the hosting provider, but didn't see any fix from your team.
Languages: English (English )German (Deutsch )French (Français )
Timezone: Europe/Zagreb (GMT+01:00)
Our team of developers is actively working on this issue. However, it is quite complex and is planned to be addressed in WPML version 4.7.
Currently, 4.7 is in its Beta 1 phase and is not recommended for production sites. Unfortunately, the solution for this issue is not included in the beta version.
At this time, I’m unable to provide specific dates for when this will be fixed, as it depends on the release timeline for version 4.7, which has not been finalized yet.
I am a developer from the WPML Team, and I am currently working on replicating the issue you reported. However, I need your assistance to proceed further.
Could you please provide detailed steps to reproduce the issue? I have already set up an EC2 Alibaba instance with an enterprise account, with WordPress and WPML installed and configured.
At this point, I need detailed guidance on how to correctly set up and run the web shell detection service. Please provide all the necessary steps to replicate this phase.
We did nothing about it actually, but just install the plugin. I think Aliyun just report that issue via scanning the plugins files. All the wordpress project with WPML plugin got that alert basically.
Languages: English (English )German (Deutsch )French (Français )
Timezone: Europe/Zagreb (GMT+01:00)
We were able to replicate the issue and, based on our investigation, it appears this may be a "false positive" as outlined in Alibaba's documentation. Alibaba also provides guidance on how to manage such warnings, which can be found on hidden link
At this point, we're still determining the best way to suppress or prevent this warning on our end.
Hi Christopher,
we have released the fix to prevent this false positive being raised by Alibaba. Please, download the latest version of WPML.
That said, I want to clarify that in our tests, the files you mentioned are correctly flagged as negative by the Alibaba scan tool now. However, we have noticed that the tool's behaviour is not consistently deterministic. Could you please confirm whether the alerts have disappeared on your end, after you installed the latest version of WPML?
In any case, the solution bruno shared with you is still valid.
I recently encountered the same issue: Alibaba Cloud reported Trojan files in
.../wp-content/plugins/sitepress-multilingual-cms/vendor/wpml/fp/core/logic.php.
We still keep receiving the same issue report, and it affects all of our clients websites that hosted on Aliyun, can you please fix it as soon as possible?
