Matomo Malware Alert PHPMailer dot php via Wordfence Scan

My Wordfence scan threw up this alert in the last couple of days, is it a false positive or real malware?

  • Filename: /home/wordpressdirectory/url/wp-content/plugins/matomo/app/vendor/phpmailer/phpmailer/src/PHPMailer.php
  • File Type: Not a core, theme, or plugin file from wordpress dot org.
  • Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: . β€˜;’ . ’ q=’ . $DKIMquery . β€˜;’

The issue type is: Obfuscated:PHP/concat.var.10859
Description: Obfuscation technique often seen in malware.

1 Like

Hey Steve, Just had the same issue. Any updates from Matomo?

@S11 Thanks for reporting this. Could you answer the following questions that might help us investigate this?..

  1. If possible could you provide a screenshot of this string within the offending file?

  2. Were any third-party plugins used from the Matomo Marketplace or otherwise? I don’t see the phpmailer directory in the source code for our WordPress plugin so just wondering where this may have come from.