Multiple personification reports person surfaced informing that nan latest type of WordPress is triggering trojan alerts and astatine slightest 1 personification reported that a web big locked down a website because of nan file. What really happened turned into a learning experience.
Antivirus Flags Trojan In Official WordPress 6.6.1 Download
The first study was revenge successful nan charismatic WordPress.org thief forums wherever a personification reported that nan autochthonal antivirus successful Windows 11 (Windows Defender) flagged nan WordPress zip record they had downloaded from WordPress contained a trojan.
This is nan matter of nan original post:
“Windows Defender shows that nan latest wordpress-6.6.1zip has Trojan:Win32/Phish!MSR microorganism erstwhile one effort downloading from nan charismatic wp site
it shows nan aforesaid microorganism notification erstwhile updating from wrong nan WordPress dashboard of my site
Is this a mendacious positive?”
They besides posted screenshots of nan trojan informing that listed nan position arsenic “Quarantine failed” and that WordPress zip record of type 6.6.1 “is vulnerable and executes commands from an attacker.”
Screenshot Of Windows Defender Warning
Someone other affirmed that they were besides having nan aforesaid issue, noting that a drawstring of codification wrong 1 of nan CSS files (style codification that governs nan look of a website, including colors) was nan culprit that was triggering nan warning.
They posted:
“I americium experiencing nan aforesaid issue. It seems to hap pinch nan record \wp-includes\css\dist\block-library\style.min.css. It appears that a circumstantial drawstring successful nan CSS record is being detected arsenic a Trojan virus. I would for illustration to let it, but I deliberation I should hold for an charismatic consequence earlier doing so. Is location anyone who tin supply an charismatic answer?”
Unexpected “Solution”
A mendacious affirmative is mostly a consequence that tests arsenic affirmative erstwhile it’s not really a affirmative for immoderate is being tested for. WordPress users soon began to fishy that nan Windows Defender trojan microorganism alert was a mendacious positive.
An charismatic WordPress GitHub ticket was revenge wherever nan origin was identified arsenic an insecure URL (http versus https) that’s referenced from wrong nan CSS style sheet. A URL is not commonly considered a portion of a CSS record truthful that whitethorn beryllium why Windows Defender flagged this circumstantial CSS record arsenic containing a trojan.
Here’s nan portion wherever things went disconnected successful an unexpected direction. Someone opened another WordPress GitHub ticket to archive a projected hole for nan insecure URL, which should person been nan extremity of nan communicative but it ended up starring to a find astir what was really going on.
The insecure URL that needed fixing was this one:
http://www.w3.org/2000/svgSo nan personification who opened nan summons updated nan record pinch a type that contained a nexus to nan HTTPS type which should person been nan extremity of nan communicative but for a nuance that was overlooked.
The (‘insecure’) URL is not a nexus to a root of files (and truthful not insecure) but alternatively an identifier that defines nan scope of nan Scalable Vector Graphics (SVG) connection wrong XML.
So nan problem yet ended up not being astir thing incorrect pinch nan codification successful WordPress 6.6.1 but alternatively an rumor pinch Windows Defender that grounded to decently place an “XML namespace” alternatively of mistakenly flagging it arsenic a URL linking to downloadable files.
Takeaway
The mendacious affirmative trojan record alert by Windows Defender and consequent chat was a learning infinitesimal for galore group (including myself!) astir a comparatively arcane spot of coding knowledge regarding nan XML namespace for SVG files.
Read nan original report:
Virus Issue :wordpress-6.6.1.zip shows a microorganism from windows defender