1. General
  2. Bugs
0
Under review

Plugin flagged as malware by security scanners – false positive or genuine issue?

Aaron1986 12 hours ago updated by Josh 6 hours ago 5

Hi all,

I’m currently using WP Review Slider Pro and one of the plugin files is being flagged as malware by multiple security scanners.

From reviewing the code, it appears the warning may be related to external API calls, legacy PHP functions, and file handling methods rather than any obvious malicious payload. However, this is obviously concerning from a production security standpoint.

Has anyone else experienced this with recent versions of the plugin?

Specifically:

  • Are there plans to refactor remote requests to use official APIs only?
  • Is there a roadmap to modernise input sanitisation and file handling to meet current WordPress security standards?
  • Has this been confirmed as a false positive by the development team?

Any insight from the developers or other users would be appreciated.

Thanks in advance.

Under review
Josh 7 hours ago

I'm getting serveral messages from users this morning about the same thing. I'm guessing this is a false positive as it is coming from multiple different users. When you say multiple different security scanners, can you let me know one that I can run and check for myself? If I can get an actual line number in the file that it is flagging I can investigate.

Aaron1986 7 hours ago

Hi Josh, 

This is being scanned using the malware checker through the hosting provider 20i. It's giving a report that reads the following: 

class-wp-review-slider-pro-admin_hooks.php
/home/sites/11b/3/368e879d54/public_html/wp-content/plugins/wp-review-slider-pro/admin/class-wp-review-slider-pro-admin_hooks.php		php.curl.exec.wp.content.upload.fwrite.file.exits"

Image 2285

I hope that helps 

Josh 6 hours ago

Do you mind contacting their support and ask if there is a way to find the specific lines that are triggering this? Or the rules they are using to flag? That file has most of the admin functions for the plugin so I need to figure out what their scanner doesn't like.

Aaron1986 6 hours ago

Hey Josh, 

I’ve heard back from the host. They can’t provide a specific rule ID or line reference from the malware engine.

However, they’ve confirmed this is a pattern-based detection and have offered to submit the flagged file to their malware provider for manual analysis and signature whitelisting if it’s deemed safe.

From my side, the likely triggers still appear to be the use of remote file_get_contents() calls, third-party proxy endpoints, direct file deletion via unlink(), and legacy input handling patterns.

I’ll proceed with the host’s malware analysis submission, but longer-term it would be good to refactor these areas to avoid repeat false positives across other hosts and security tools.

I’ll update you once the malware provider responds.

Regards,
Aaron

+1
Josh 6 hours ago

Okay thanks. I'll look into updating some of those older functions.

Customer support service by UserEcho