- Lester Chan's WordPress Plugins - https://lesterchan.net/wordpress -

Code Injection Follow Up

I have release 2 security updates to WP-Polls [1] and WP-PostRatings [2] which basically removes a malicious code that allows code injection.

The malicious code is as follows:

if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER']))

The code itself does nothing, but hackers are spoofing the $_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.

I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.

I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.