Is return unserialize(base64_decode($settings)) malicious?

Question

Wordfence is highlighting this as a malicious code:

function customFiltersSettings() {
    $settings = get_option('wp_custom_filters');

    if (!$settings) {
        return null;
    }

    return unserialize(base64_decode($settings));
}

This doesn't look to be bad, but I want to be sure.

Full code: https://pastebin.com/wi705icK

More info on the message:

This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: {\x0a $settings = get_option('wp_custom_filters');\x0a\x0a if (!$settings) {\x0a return null;\x0a }\x0a\x0a return unserialize(base64_decode($settings));

The issue type is: Hacktool:PHP/maliciousOptions.theme.11692 Description: Method used to hide malicious code in the database options table.

`unserialize` can be prone to [PHP Object Injection](https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection) — Raymond Nijland, Feb 18 '22 at 11:37
A couple of years back I came across some WP installations which where hacked and all of them used some kind of variation to "hide" the malicious code in a base64 encoded string which was decoded in code and executed. So by itself it is not malicious, but it is understandable that you would scan for base64 decoding and maybe declare it malicious. — clash, Feb 18 '22 at 13:58

Is return unserialize(base64_decode($settings)) malicious?

0 Answers0