shiningtor Posted August 19, 2016 Share Posted August 19, 2016 I'm trying repair a WordPress plugin called 'php-execution' to run in php 7 and in the latest WordPress software. This error is displayed: 'preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead'. So I've tried to convert the following code to use preg_replace_callback without much luck. if(wp_default_editor() != 'html') { $content = preg_replace ( '#<\?php([\s\S]*?)\?>#ie', '\'<img src="\' . PHP_EXECUTION_BASE_URL . \'/assets/trans.gif" class="mceWpPHP mceItemNoResize" title="php" alt="\' . base64_encode(stripslashes(\'\\0\')) . \'" />\'', $content ); } return $content; } Can anyone help me to convert preg_replace to preg_replace_callback? Thanks shiningtor Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 19, 2016 Share Posted August 19, 2016 Get rid of the plugin. Allowing arbitrary code execution within posts is already a shitty idea. But doing it with an obscure plugin that seems to have been published somewhere in 2009 and never updated since is suicidal. How about setting up a proper, secure Wordpress installation? It's really not that hard. Quote Link to comment Share on other sites More sharing options...
shiningtor Posted August 19, 2016 Author Share Posted August 19, 2016 Hi. The WordPress sites I use the php-execution-plugin on are completely closed systems. Only I have access to them. How is this plugin insecure? I can see that this plugin would be insecure if I allowed commenting and users to add page etc. But I don't. Thanks shiningtor Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted August 19, 2016 Share Posted August 19, 2016 (edited) The WordPress ecosystem is infamous for its lack of security and has almost 1,000 entries in the CVE vulnerability database, not to mention the long history of high-profile attacks. And given your attitude towards security, it's hard to believe that you're running a carefully hardened server. This is anything but a “completely closed system”. A single SQL injection or cross-site scripting or cross-site request forgery attack can be suffient to inject code into a post. And once that's done, the attacker has direct access to your server. Edited August 19, 2016 by Jacques1 Quote Link to comment Share on other sites More sharing options...
shiningtor Posted August 19, 2016 Author Share Posted August 19, 2016 Hi I agree. But the risk is low because I have backups of my systems and could reinstate any of my sites in a few minutes. Thanks shiningtor Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.