Open security vulnerability used to inject malware

[klingtnet]

Feature request/bug description

I recently removed a malware from a Wordpress installation that was using this plugin. The malware installed itself inside /wp-content/mu-plugins/index.php, where /wp-content/mu-plugins/ is the directory of this health check plugin in version 1.7.2. Just removing the malicious index.php was not enough, the malware reappeared again. This means that the most recent version of this plugin still contains a vulnerability. I needed to remove the plugin directory to get rid of the malware permanently. More details about the actual malware can be found in my blog article. I am not a PHP developer so I haven't tried to find out where the actual vulnerability in this plugin is.

[klingtnet]

The vulnerability must be in this file: https://github.com/WordPress/health-check/blob/8da8f370f20c1217aeebba60723536da58b9e2bb/src/php/assets/mu-plugin/health-check-troubleshooting-mode.php

[JosKlever]

The vulnerability is probably not in this plugin, but in something else. I've read your analysis and you are making some mistakes there. The mu-plugins folder is not from a particular plugin (like the Health Check plugin). It's a Must Use Plugin folder that's default to WordPress. Plugin files that are put there will always be loaded and can't be deactivated via the dashboard. So this is often used by tools that do essential things. Health Check is using it so it can run the troubleshooting mode with every plugin disabled. You are clearly not familiar with WordPress sites and that's fine of course, but in this case you should have let a WordPress security expert look into this hack/malware infection. Most of the time these redirect hacks are caused by a vulnerability in a plugin allowing a hacker to upload a file or edit something in the database. It's impossible to say what it was in your case without doing a full scan.

[klingtnet]

in this case you should have let a WordPress security expert look into this hack/malware infection.

Definitely yes, but it's not that easy to find one who's really capable of doing such an analysis. From my limited experience it seemed like there are a lot of scammers in this market. Also, the infected website was from a private person and they wouldn't have invested that money.

However, the infection didn't came back 🤞🏻 and the site works fine now. What leaves a bit of a bitter taste is that nobody was reacting on my GitHub issue until I reached out to the email address linked in https://wordpress.org/security.txt (which didn't even accept PGP encrypted mails).

[JosKlever]

I've found this issue by accident, when I was checking for a specific topic regarding this plugin, so I answered your post because I could say something about it, while I'm not part of the plugin's team.

Regarding the PGP encryption support is something you should ask via plugins [at] wordpress [dot] org. Maybe they can explain why it can't be used or they can consider to make it possible.

I'll try to reach out to the team who runs this github profile to get some more attention to the open issues.