We’re experiencing some YARA scan hits on multiple sites running the Free WP Download Manager plugin. The flagged files are located in the wpdm-cache directory and follow this pattern:
{CAV}YARA.galers_backdoor_fdc88 : /var/www/vhosts/[sitename]/httpdocs/wp-content/uploads/wpdm-cache/session-[hash].txt
Clearing the cache is straightforward, and we can automate daily cache purges, but our hosting provider is unable to determine whether this is an actual security threat or just a false positive.
Questions:
1) Has anyone else encountered this issue with WPDM?
2) Are these session files expected behavior, or do they suggest a potential vulnerability?
3) Could these YARA scan results indicate a real backdoor infection, or is it just a misclassification due to certain string patterns?
Appreciate any insights
Thank you
.
