WP Saves New Pages As Base64 Code

First off I'll preface this question by saying after seeing the base64 code in my client's theme I immediately contacted the host about a possible breach - they did a scan and found nothing. So that being clarified here's the full story.

My client has been using Wordpress without issue for a year now (unfortunately without updating the code until now) and she is having a weird issue where out of nowhere a couple days ago, when she modifies or creates a page, after saving the content when she tries accessing the page in the editor, it locks up and crashes the browser.

Everything works on the front end. The theme being used is SlashWP http://themeforest.net/item/slash-wp/701905

So when I took a look at her site, I managed to view her pages in the editor and when I clicked the HTML, low and behold, they entire page content (not just images) started with "base64(" and continued on with gibberish for literally pages and pages.

Now I'm not sure what can be triggering this if it's not malicious code but I've enclosed a screenshot from my client of the script error she's dealing with.

I'm actually thinking of auditing the theme code because I'm not sure how good the web host did with the scan, but as that will cost my client a bit of money I really want to avoid that expense if possible.

Thanks in advance for any insights,

Charles

  • Charles

    Hi Vaughan,

    Apologies for the late reply. As I'm working with my client on this issue getting tests done on their site has been a bit slow. To answer your question - I updated the theme and tried uploading an image and it worked fine without the base64 encoding.

    For what it's worth, I did a SQL dump of her site because I actually was going to clone her site on my dev server to do a code audit and I noted in the dump that it appears whenever Wordpress was calling an image, the source would always be encoded in base64 but everything else was fine. Now I know from experience that embedding images in the database is never a good idea (and I've seen it done on a prior client site with disastrous results) but I have no clue what would suddenly trigger this.

    Especially since it was just image tags and not any base64 eval () calls or snippets which are associated with malicious activity.

    I'm waiting right now for my client to scrap the faulty pages and then try recreating the content - so as soon as I hear back from her I'll provide an update on the status of this problem.

    Still - I'm very curious about what can be causing this because it seems very bizarre.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.