WP Spamshield

WP Spamshield is a malicious plugin that is targeting plugins on the WordPress plugin repository to disable them and cause harm to users sites. WP Spamshield has been removed from the WordPress plugin repository because of the malicious code it contained. One of the plugins that is being targeted is Plugin Organizer. The author is currently attempting to find another repository to host his plugin and release more harmful code to the public. If you are running this plugin you should immediately remove it to prevent it from modifying your database and causing harm to your site. It targets other plugins and even tries to remove files that the user has installed. Here are some discussions on the topic of why it was eventually removed.



In those 2 support threads I pointed out to the developer of WP Spamshield that he was re-indexing the $_POST array incorrectly. Changing the $_POST array in the first place is a hack. And it shouldn’t be done because it can cause instability. Which is exactly what happened. So I released a fix for Plugin Organizer that stopped his code from re-indexing the $_POST array. He responded by releasing a version of WP Spamshield that disabled Plugin Organizer and deleted all files related to it. I then released a version of Plugin Organizer that deactivated WP Spamshield before it could do any of that. He in turn released a new version of WP Spamshield that deleted Plugin Organizer from within an MU plugin file that loaded before PluginOrganizerMU.class.php.

Rather than continue to release countermeasures to his malicious code I reported him to the WordPress admins and they told both of us to remove our code that disables the other. Which I was more than happy to do since that’s all I wanted in the first place. After 2 weeks he had still not released a clean version of WP Spamshield. That’s when the WordPress admins got tired of waiting and removed WP Spamshield from the repository.

He intends to release this plugin on a third party site. I have no doubt that version will be even more harmful to users since he won’t have to follow the guidelines laid out by wordpress.org. In the last version the code targeted several other plugins from within the MU plugin file that deletes files before the site has started to load plugins and in the various “compatibility” classes contained within the standard plugin files.

Here are the 2 functions that target Plugin Organizer. The first is located in includes/class.compatibility.php at line 306 of version 1.9.21. As you can see it completely disables Plugin Organizer by turning off selective plugin loading. Then it modifies the saved plugin load order which has the potential to crash a site if the user had changed the load order to fix a conflict.

static public function deconflict_po_01() {
		 *	Make sure WP-SpamShield does not get disabled or hindered, for security reasons.
		 *	There is an activation notice warning users not to use the two together, but this is here for fallback mitigation.
		if( !is_admin() ) { return; }
		$pref = 'PO_'; $cb = '__return_zero';
		$all_options = wp_load_alloptions();
		$fix_options = array( 'admin_disable_plugins', 'disable_by_role', 'disable_mobile_plugins', 'disable_plugins', 'plugin_order', );
		foreach( $all_options  as $option => $value ) {
			if( 0 === strpos( $option, $pref ) ) {
				$slug = str_replace( $pref, '', $option );
				if( 0 === strpos( serialize( $value ), WPSS_PLUGIN_NAME ) || isset( $fix_options[$slug] ) ) { update_option( $option, 0 ); continue; }
		foreach( $fix_options as $i => $v ) {
			add_filter( 'pre_update_option_'.$pref.$v, $cb, 100, 1 );

The second function is located in includes/class.security.php at line 828 of version 1.9.21. It re-indexes variables in the post array without taking into account that the variables could be multidimensional associative arrays. Which is the case with Plugin Organizer. It turns those associative arrays into indexed arrays which creates instability in the platform.

static public function early_admin_intercept() {
		global $HTTP_RAW_POST_DATA, $pagenow;
		/* Do non-POST requests first (GET, HEAD, etc.) */
			return NULL;
		/* Then do POST requests... */
		if( empty( $_POST ) && empty( $HTTP_RAW_POST_DATA ) ) { return NULL; }
		if( 'widgets.php' === $pagenow || 'customize.php' === $pagenow ) { return NULL; }
		if( rs_wpss_is_admin_sproc() || rs_wpss_is_doing_cron() || rs_wpss_is_installing() || rs_wpss_is_cli() || parent::is_customize_preview() ) { return; }
		if( empty( $_POST ) && !empty( $HTTP_RAW_POST_DATA ) ) { $_POST = array( 'HTTP_RAW_POST_DATA' => $HTTP_RAW_POST_DATA ); }
		if( !empty( $_POST ) && is_array( $_POST ) ) {
			$pref = 'PO_';
			foreach( $_POST as $k => $v ) {
				if( 0 === strpos( $k, $pref ) || !empty( $_POST[$pref.'nonce'] ) || ( !empty( $_GET['action'] ) && 0 === strpos( $_GET['action'], $pref ) ) ) {
					if( is_array( $v ) ) {
						foreach( $v as $ak => $av ) {
							if( 0 === strpos( $av, WPSS_PLUGIN_NAME ) ) { unset( $v[$ak] ); }
						}; $_POST[$k] = ( WPSS_Utils::is_array_num( $v ) ) ? WPSS_Utils::sort_unique( $v ) : $v;
		return FALSE;

The class.compatibility.php file is filled with functions that hobble other plugins. All of these things are done without the user’s knowledge. WP Spamshield is malicious code masquerading as a security plugin. I’m surprised it wasn’t removed from wordpress.org sooner. A vulnerability scan done by a third party turned up some less than reputable activity that WP Spamshield does in the background without the users knowledge. You can see the results of this scan by clicking the link below.
Scan results

To prevent WP Spamshield from disabling Plugin Organizer I have released a version with new option names that aren’t being targeted. This is only a temporary fix since he will eventually release his code somewhere else and change his plugin to completely delete mine I’m sure.

The developers of WP Spamshield are now referencing CVE-2012-6511 and CVE-2012-6512 as evidence that Plugin Organizer is unsafe. But if you look at the CVE for either of these by clicking the link you will see that they are related to a different plugin called Organizer that was abandoned several years ago. A plugin that is in no way related to me. You can view the page for that plugin here https://wordpress.org/plugins/organizer/. So once again Scott Allen is making false statements and trying to convince people he targeted Plugin Organizer because of a security vulnerability that doesn’t exist.

I would suggest everyone remove his code from your sites and stay far away from anything he’s involved in.