Verification checks skipped when plugin missing main PHP file

[austinginder]

Recently ran into a situation where a website had malware reinfection issues which required a bit of a deep dive to resolve. During the process I discovered that wp plugin verify-checksums --all will only check plugins which have their main plugin.php file. For example, let's install a plugin then break the main file by renaming:

wp plugin install wordfence
mv wp-content/plugins/wordfence/wordfence.php wp-content/plugins/wordfence/wordfence.php.bad

Now if we try and run wp plugin verify-checksums wordfence we'll get the following:

Warning: The 'wordfence' plugin could not be found.
Error: You need to specify either one or more plugin slugs to check or use the --all flag to check all plugins.

Also if we run wp plugin verify-checksums --all it will say success and not even attempt to run any checks on the /wordfence/ directory. This is a problem as bad actors can use this method to hide files in these shadow plugin folders. Also there is no indication that these PHP files exist from /wp-admin/plugins.php.

I think the solution should be to run checksums verifications based solely on the directory names. If a plugin directory matches a wordpress.org plugin then maybe run the verification checks?

[danielbachhuber]

Interesting report!

I agree, this is worth putting together an enhancement for.