Skip to content

Improve checksum verification for plugins without main PHP files#143

Merged
swissspidy merged 19 commits into
mainfrom
copilot/fix-plugin-verification-checks
May 28, 2026
Merged

Improve checksum verification for plugins without main PHP files#143
swissspidy merged 19 commits into
mainfrom
copilot/fix-plugin-verification-checks

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Nov 1, 2025
edited
Loading

Summary

Fixes security issue where wp plugin verify-checksums skipped plugin directories without valid main plugin files, allowing malware to hide in these "shadow" directories.

Changes

1. Enhanced Plugin Detection (get_all_plugin_names())

  • Scans wp-content/plugins/ filesystem for all plugin directories
  • Includes both plugins with valid headers AND directories without headers
  • Security measures:
    • Directory readability validation
    • Symlink exclusion to prevent traversal attacks
    • Proper error handling

2. Enhanced Plugin Fetcher (UnfilteredPlugin::get())

  • Detects plugin directories even when main files are missing
  • Constructs conventional plugin file path for verification
  • Path traversal and symlink protection via realpath() validation

3. Version Detection Fallback (fetch_version_from_wp_org())

  • When the main plugin file is missing and version cannot be determined locally, queries the WordPress.org API via WpOrgApi::get_plugin_info() to get the current stable version
  • Assumes the installed version matches the current stable release from WordPress.org
  • Issues a clear warning about this assumption: "Could not determine the version of plugin {slug} from its files. Assuming the current stable version ({version}) from WordPress.org."
  • Returns false (skips verification) if the plugin is not found on WordPress.org or the API call fails

4. User Warnings

  • Warning when main plugin file is missing during verification
  • Warning when version is assumed from WordPress.org stable release
  • Helps administrators identify potential security issues

5. Test Coverage

  • Comprehensive test scenario for missing main file case
  • Uses explicit --version flag for single-plugin verification
  • Validates renamed files are detected as checksum errors
  • Validates warnings are shown for both missing file and WP.org version assumption
  • Tests both single plugin and --all flag scenarios

Security Impact

Before: Attackers could hide malicious files in plugin directories by removing/renaming the main plugin file. These directories were completely ignored during checksum verification.

After: All plugin directories are verified against WordPress.org checksums, regardless of whether they have valid plugin headers. Malware cannot hide using this technique.

Usage Note

When a plugin's main file is missing and the version cannot be determined, the command automatically queries WordPress.org for the current stable version and verifies against that. You can also explicitly provide the version using the --version flag:

wp plugin verify-checksums plugin-name --version=1.2.3

Backward Compatibility

✅ Fully backward compatible - existing plugins with valid headers work exactly as before
✅ Only affects detection of plugin directories without valid main files (previously ignored)
✅ No breaking changes to API or command syntax

Files Changed

  • src/Checksum_Plugin_Command.php
  • src/WP_CLI/Fetchers/UnfilteredPlugin.php
  • features/checksum-plugin.feature
Original prompt

This section details on the original issue you should resolve

<issue_title>Verification checks skipped when plugin missing main PHP file</issue_title>
<issue_description>Recently ran into a situation where a website had malware reinfection issues which required a bit of a deep dive to resolve. During the process I discovered that wp plugin verify-checksums --all will only check plugins which have their main plugin.php file. For example, let's install a plugin then break the main file by renaming:

wp plugin install wordfence
mv wp-content/plugins/wordfence/wordfence.php wp-content/plugins/wordfence/wordfence.php.bad

Now if we try and run wp plugin verify-checksums wordfence we'll get the following:

Warning: The 'wordfence' plugin could not be found.
Error: You need to specify either one or more plugin slugs to check or use the --all flag to check all plugins.

Also if we run wp plugin verify-checksums --all it will say success and not even attempt to run any checks on the /wordfence/ directory. This is a problem as bad actors can use this method to hide files in these shadow plugin folders. Also there is no indication that these PHP files exist from /wp-admin/plugins.php.

I think the solution should be to run checksums verifications based solely on the directory names. If a plugin directory matches a wordpress.org plugin then maybe run the verification checks?</issue_description>

Comments on the Issue (you are @copilot in this section)

@danielbachhuber Interesting report!

I agree, this is worth putting together an enhancement for.</comment_new>

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits November 1, 2025 19:59
@swissspidy
Implement plugin directory scanning for checksums verification
b255e2a 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
@swissspidy
Add security hardening for file operations
e567bbd 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
@swissspidy
Address additional code review feedback
f1be4c5 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix verification checks for plugins missing main PHP file Fix plugin verification to detect directories without main PHP files Nov 1, 2025
Copilot AI requested a review from swissspidy November 1, 2025 20:12
@codecov
Copy link
Copy Markdown

codecov Bot commented Nov 1, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 88.37209% with 5 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/Checksum_Plugin_Command.php 84.37% 5 Missing ⚠️

📢 Thoughts on this report? Let us know!

@swissspidy

This comment was marked as resolved.

Sign in to view
@swissspidy
Fix code style issues: remove empty elseif and redundant is_array check
9a4be37 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

This comment was marked as resolved.

Sign in to view
@swissspidy swissspidy marked this pull request as ready for review November 1, 2025 21:19
@swissspidy swissspidy requested a review from a team as a code owner November 1, 2025 21:19
swissspidy
swissspidy reviewed Dec 12, 2025
View reviewed changes
Comment thread src/Checksum_Plugin_Command.php Outdated
@swissspidy
Use get_file_data() for version detection and remove readme.txt scanning
97a5b26 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
Copilot AI requested a review from swissspidy December 12, 2025 16:19
swissspidy
swissspidy reviewed Dec 12, 2025
View reviewed changes
Comment thread src/Checksum_Plugin_Command.php Outdated
@swissspidy swissspidy added the command:plugin-verify-checksums Related to 'plugin verify-checksums' command label Dec 12, 2025
@swissspidy
Remove unnecessary file size check as get_file_data() reads only 8KB
2545381 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>
Copilot AI requested a review from swissspidy December 12, 2025 16:27
@swissspidy

This comment was marked as resolved.

Sign in to view
gemini-code-assist[bot]

This comment was marked as resolved.

Sign in to view

Copilot AI reviewed Feb 3, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a security vulnerability where wp plugin verify-checksums would skip plugin directories that lack valid main PHP files, allowing malware to hide undetected in these "shadow" directories. The fix enhances plugin detection to scan the filesystem for all plugin directories and verify them against WordPress.org checksums, regardless of whether they have valid plugin headers.

Changes:

  • Enhanced get_all_plugin_names() to scan the filesystem for all plugin directories, not just those with valid headers, with security measures including symlink exclusion
  • Modified UnfilteredPlugin::get() to detect plugin directories even when main files are missing
  • Added detect_version_from_directory() fallback method to find version information from any PHP file in a plugin directory

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
src/WP_CLI/Fetchers/UnfilteredPlugin.php Adds fallback logic to detect plugin directories without main files by checking filesystem directly
src/Checksum_Plugin_Command.php Enhances plugin detection with filesystem scanning, adds version detection fallback, includes security measures and user warnings
features/checksum-plugin.feature Adds test scenario for verifying plugins with missing/renamed main files

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/WP_CLI/Fetchers/UnfilteredPlugin.php Outdated
Comment thread src/Checksum_Plugin_Command.php Outdated
Comment thread features/checksum-plugin.feature
swissspidy
swissspidy reviewed May 27, 2026
View reviewed changes
Comment thread src/Checksum_Plugin_Command.php Outdated
Copilot AI requested a review from swissspidy May 27, 2026 09:12
@swissspidy swissspidy mentioned this pull request May 27, 2026
Closed
@swissspidy

This comment was marked as resolved.

Sign in to view
@swissspidy

This comment was marked as resolved.

Sign in to view
@swissspidy
Replace detect_version_from_directory with WP.org API version fallback
247b4e4 
Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

This comment was marked as resolved.

Sign in to view

This comment was marked as resolved.

Sign in to view
@swissspidy swissspidy changed the title Fix plugin verification to detect directories without main PHP files Improve checksum verification for plugins without main PHP files May 28, 2026
@swissspidy swissspidy added this to the 2.3.6 milestone May 28, 2026
@swissspidy swissspidy merged commit 09131de into main May 28, 2026
63 checks passed
@swissspidy swissspidy deleted the copilot/fix-plugin-verification-checks branch May 28, 2026 11:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@swissspidy swissspidy Awaiting requested review from swissspidy

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@swissspidy swissspidy

Copilot code review Copilot

Labels

command:plugin-verify-checksums Related to 'plugin verify-checksums' command

Projects

None yet

Milestone

2.3.6

Development

Successfully merging this pull request may close these issues.

Verification checks skipped when plugin missing main PHP file

3 participants

@swissspidy