9B534B8686E580E0E01768F00155B461

at path：ROOT / wp-content / plugins / wordfence / lib / wfJWT.php

run：R W Run

Diff

DIR

2026-02-05 01:05:21

R W Run

audit-log

DIR

2026-02-05 01:05:21

R W Run

dashboard

DIR

2026-02-05 01:05:21

R W Run

rest-api

DIR

2026-02-05 01:05:21

R W Run

Diff.php

5.63 KB

2025-12-21 04:19:00

R W Run

IPTraf.php

1.17 KB

2025-12-21 04:19:00

R W Run

IPTrafList.php

2.98 KB

2025-12-21 04:19:00

R W Run

WFLSPHP52Compatability.php

1.27 KB

2025-12-21 04:19:00

R W Run

compat.php

425 By

2025-12-21 04:19:00

R W Run

diffResult.php

2.81 KB

2025-12-21 04:19:00

R W Run

email_genericAlert.php

1.39 KB

2025-12-21 04:19:00

R W Run

email_newIssues.php

8.82 KB

2025-12-21 04:19:00

R W Run

email_unlockRequest.php

2.34 KB

2025-12-21 04:19:00

R W Run

email_unsubscribeRequest.php

1.05 KB

2025-12-21 04:19:00

R W Run

flags.php

6.62 KB

2025-12-21 04:19:00

R W Run

geoip.mmdb

9.26 MB

2025-12-21 04:19:00

R W Run

live_activity.php

580 By

2025-12-21 04:19:00

R W Run

menu_dashboard.php

28.16 KB

2025-12-21 04:19:00

R W Run

menu_dashboard_options.php

15.37 KB

2025-12-21 04:19:00

R W Run

menu_firewall.php

2.12 KB

2025-12-21 04:19:00

R W Run

menu_firewall_blocking.php

10.25 KB

2025-12-21 04:19:00

R W Run

menu_firewall_blocking_options.php

4.63 KB

2025-12-21 04:19:00

R W Run

menu_firewall_waf.php

19.96 KB

2025-12-21 04:19:00

R W Run

menu_firewall_waf_options.php

11.09 KB

2025-12-21 04:19:00

R W Run

menu_install.php

1.73 KB

2025-12-21 04:19:00

R W Run

menu_options.php

24.7 KB

2025-12-21 04:19:00

R W Run

menu_scanner.php

21.6 KB

2025-12-21 04:19:00

R W Run

menu_scanner_credentials.php

2.77 KB

2025-12-21 04:19:00

R W Run

menu_scanner_options.php

8.41 KB

2025-12-21 04:19:00

R W Run

menu_support.php

17.82 KB

2025-12-21 04:19:00

R W Run

menu_tools.php

1.49 KB

2025-12-21 04:19:00

R W Run

menu_tools_auditlog.php

16.43 KB

2025-12-21 04:19:00

R W Run

menu_tools_diagnostic.php

50.8 KB

2025-12-21 04:19:00

R W Run

menu_tools_importExport.php

1.28 KB

2025-12-21 04:19:00

R W Run

menu_tools_livetraffic.php

39.43 KB

2025-12-21 04:19:00

R W Run

menu_tools_twoFactor.php

19.6 KB

2025-12-21 04:19:00

R W Run

menu_tools_whois.php

4.61 KB

2025-12-21 04:19:00

R W Run

menu_wordfence_central.php

9.66 KB

2025-12-21 04:19:00

R W Run

noc1.key

1.64 KB

2025-12-21 04:19:00

R W Run

sodium_compat_fast.php

185 By

2025-12-21 04:19:00

R W Run

sysinfo.php

1.47 KB

2025-12-21 04:19:00

R W Run

viewFullActivityLog.php

1.47 KB

2025-12-21 04:19:00

R W Run

wf503.php

9.67 KB

2025-12-21 04:19:00

R W Run

wfAPI.php

10.1 KB

2025-12-21 04:19:00

R W Run

wfActivityReport.php

20.55 KB

2025-12-21 04:19:00

R W Run

wfAdminNoticeQueue.php

5.2 KB

2025-12-21 04:19:00

R W Run

wfAlerts.php

8.19 KB

2025-12-21 04:19:00

R W Run

wfAuditLog.php

47.13 KB

2025-12-21 04:19:00

R W Run

wfBinaryList.php

1.02 KB

2025-12-21 04:19:00

R W Run

wfBrowscap.php

3.9 KB

2025-12-21 04:19:00

R W Run

wfBrowscapCache.php

256.83 KB

2025-12-21 04:19:00

R W Run

wfBulkCountries.php

9.77 KB

2025-12-21 04:19:00

R W Run

wfCache.php

6.02 KB

2025-12-21 04:19:00

R W Run

wfCentralAPI.php

25.8 KB

2025-12-21 04:19:00

R W Run

wfCommonPasswords.php

1.25 KB

2025-12-21 04:19:00

R W Run

wfConfig.php

124.66 KB

2025-12-21 04:19:00

R W Run

wfCrawl.php

6.92 KB

2025-12-21 04:19:00

R W Run

wfCredentialsController.php

10.3 KB

2025-12-21 04:19:00

R W Run

wfCrypt.php

4.05 KB

2025-12-21 04:19:00

R W Run

wfCurlInterceptor.php

1.02 KB

2025-12-21 04:19:00

R W Run

wfDB.php

11.49 KB

2025-12-21 04:19:00

R W Run

wfDashboard.php

8.2 KB

2025-12-21 04:19:00

R W Run

wfDateLocalization.php

352.13 KB

2025-12-21 04:19:00

R W Run

wfDeactivationOption.php

2.13 KB

2025-12-21 04:19:00

R W Run

wfDiagnostic.php

67.03 KB

2025-12-21 04:19:00

R W Run

wfDirectoryIterator.php

1.89 KB

2025-12-21 04:19:00

R W Run

wfFileUtils.php

2.72 KB

2025-12-21 04:19:00

R W Run

wfHelperBin.php

1.97 KB

2025-12-21 04:19:00

R W Run

wfHelperString.php

2.13 KB

2025-12-21 04:19:00

R W Run

wfI18n.php

878 By

2025-12-21 04:19:00

R W Run

wfIPWhitelist.php

1.56 KB

2025-12-21 04:19:00

R W Run

wfImportExportController.php

3.23 KB

2025-12-21 04:19:00

R W Run

wfInaccessibleDirectoryException.php

303 By

2025-12-21 04:19:00

R W Run

wfInvalidPathException.php

266 By

2025-12-21 04:19:00

R W Run

wfIpLocation.php

1.8 KB

2025-12-21 04:19:00

R W Run

wfIpLocator.php

2.7 KB

2025-12-21 04:19:00

R W Run

wfIssues.php

27.93 KB

2025-12-21 04:19:00

R W Run

wfJWT.php

5.33 KB

2025-12-21 04:19:00

R W Run

wfLicense.php

10.95 KB

2025-12-21 04:19:00

R W Run

wfLockedOut.php

9.73 KB

2025-12-21 04:19:00

R W Run

wfLog.php

57.38 KB

2025-12-21 04:19:00

R W Run

wfMD5BloomFilter.php

5.2 KB

2025-12-21 04:19:00

R W Run

wfModuleController.php

754 By

2025-12-21 04:19:00

R W Run

wfNotification.php

6.41 KB

2025-12-21 04:19:00

R W Run

wfOnboardingController.php

9.22 KB

2025-12-21 04:19:00

R W Run

wfPersistenceController.php

819 By

2025-12-21 04:19:00

R W Run

wfRESTAPI.php

377 By

2025-12-21 04:19:00

R W Run

wfScan.php

15.92 KB

2025-12-21 04:19:00

R W Run

wfScanEngine.php

128.95 KB

2025-12-21 04:19:00

R W Run

wfScanEntrypoint.php

1.04 KB

2025-12-21 04:19:00

R W Run

wfScanFile.php

1.01 KB

2025-12-21 04:19:00

R W Run

wfScanFileLink.php

403 By

2025-12-21 04:19:00

R W Run

wfScanFileListItem.php

408 By

2025-12-21 04:19:00

R W Run

wfScanFileProperties.php

1.07 KB

2025-12-21 04:19:00

R W Run

wfScanMonitor.php

4.05 KB

2025-12-21 04:19:00

R W Run

wfScanPath.php

1.77 KB

2025-12-21 04:19:00

R W Run

wfSchema.php

11.93 KB

2025-12-21 04:19:00

R W Run

wfStyle.php

1.21 KB

2025-12-21 04:19:00

R W Run

wfSupportController.php

24.18 KB

2025-12-21 04:19:00

R W Run

wfUnlockMsg.php

1.14 KB

2025-12-21 04:19:00

R W Run

wfUpdateCheck.php

27.23 KB

2025-12-21 04:19:00

R W Run

wfUtils.php

128.73 KB

2025-12-21 04:19:00

R W Run

wfVersionCheckController.php

19.27 KB

2025-12-21 04:19:00

R W Run

wfVersionSupport.php

535 By

2025-12-21 04:19:00

R W Run

wfView.php

2.22 KB

2025-12-21 04:19:00

R W Run

wfViewResult.php

1.42 KB

2025-12-21 04:19:00

R W Run

wfWebsite.php

1.75 KB

2025-12-21 04:19:00

R W Run

wordfenceClass.php

437.99 KB

2025-12-21 04:19:00

R W Run

wordfenceConstants.php

3.56 KB

2025-12-21 04:19:00

R W Run

wordfenceHash.php

42.7 KB

2025-12-21 04:19:00

R W Run

wordfenceScanner.php

28.09 KB

2025-12-21 04:19:00

R W Run

wordfenceURLHoover.php

18.35 KB

2025-12-21 04:19:00

R W Run

error_log

📄wfJWT.php

<?php

class wfJWT {

private $claims;
	const JWT_TTL = 600;
	const ISSUER = 600;

public static function extractTokenContents($token) {
		if (!is_string($token)) {
			throw new InvalidArgumentException('Token is not a string. ' . gettype($token) . ' given.');
		}

// Verify the token matches the JWT format.
		if (!preg_match('/^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?$/', $token)) {
			throw new wfJWTException('Invalid token format.');
		}
		list($header, $body, $signature) = explode('.', $token);

// Test that the token is valid and not expired.
		$decodedHeader = base64_decode($header);

if (!(is_string($decodedHeader) && $decodedHeader)) {
			throw new wfJWTException('Token header is invalid.');
		}

$header = json_decode($decodedHeader, true);
		if (!is_array($header)) {
			throw new wfJWTException('Token header is invalid.');
		}

$decodedBody = base64_decode($body);

if (!(is_string($decodedBody) && $decodedBody)) {
			throw new wfJWTException('Token body is invalid.');
		}

$body = json_decode($decodedBody, true);
		if (!is_array($body)) {
			throw new wfJWTException('Token body is invalid.');
		}

return array(
			'header'    => $header,
			'body'      => $body,
			'signature' => $signature,
		);

}

/**
	 * @param mixed $subject
	 */
	public function __construct($subject = null) {
		$this->claims = $this->getClaimDefaults();
		$this->claims['sub'] = $subject;
	}

/**
	 * @return string
	 */
	public function encode() {
		$header = $this->encodeString($this->buildHeader());
		$body = $this->encodeString($this->buildBody());
		return sprintf('%s.%s.%s', $header, $body,
			$this->encodeString($this->sign(sprintf('%s.%s', $header, $body))));
	}

/**
	 * @param string $token
	 * @return array
	 * @throws wfJWTException|InvalidArgumentException
	 */
	public function decode($token) {
		if (!is_string($token)) {
			throw new InvalidArgumentException('Token is not a string. ' . gettype($token) . ' given.');
		}

// Verify signature matches the supplied payload.
		if (!$this->verifySignature($this->decodeString($signature), sprintf('%s.%s', $header, $body))) {
			throw new wfJWTException('Invalid signature.');
		}

// Test that the token is valid and not expired.
		$decodedHeader = base64_decode($header);

if (!(is_string($decodedHeader) && $decodedHeader)) {
			throw new wfJWTException('Token header is invalid.');
		}

$header = json_decode($decodedHeader, true);
		if (!(
			is_array($header) &&
			array_key_exists('alg', $header) &&
			$header['alg'] === 'HS256' &&
			$header['typ'] === 'JWT'
		)) {
			throw new wfJWTException('Token header is invalid.');
		}

$decodedBody = base64_decode($body);

if (!(is_string($decodedBody) && $decodedBody)) {
			throw new wfJWTException('Token body is invalid.');
		}

$body = json_decode($decodedBody, true);
		if (!(
			is_array($body) &&

// Check the token not before now timestamp.
			array_key_exists('nbf', $body) &&
			is_numeric($body['nbf']) &&
			$body['nbf'] <= time() &&

// Check the token is not expired.
			array_key_exists('exp', $body) &&
			is_numeric($body['exp']) &&
			$body['exp'] >= time() &&

// Check the issuer and audience is ours.
			$body['iss'] === 'Wordfence ' . WORDFENCE_VERSION &&
			$body['aud'] === 'Wordfence Central'
		)) {
			throw new wfJWTException('Token is invalid or expired.');
		}

return array(
			'header' => $header,
			'body'   => $body,
		);
	}

/**
	 * @param string $string
	 * @return string
	 */
	public function sign($string) {
		$salt = wp_salt('auth');

return hash_hmac('sha256', $string, $salt, true);
	}

/**
	 * @param string $signature
	 * @param string $message
	 * @return bool
	 */
	public function verifySignature($signature, $message) {
		return hash_equals($this->sign($message), $signature);
	}

/**
	 * @return string
	 */
	public function __toString() {
		return $this->encode();
	}

/**
	 * @param string $data
	 * @return string
	 */
	public function encodeString($data) {
		return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
	}

/**
	 * @param string $data
	 * @return bool|string
	 */
	public function decodeString($data) {
		return base64_decode(strtr($data, '-_', '+/'));
	}

/**
	 * @return mixed|string
	 */
	protected function buildHeader() {
		return '{"alg":"HS256","typ":"JWT"}';
	}

/**
	 * @return mixed|string
	 */
	protected function buildBody() {
		return json_encode($this->getClaims());
	}

/**
	 * @return array
	 */
	protected function getClaimDefaults() {
		$now = time();
		return array(
			'iss' => 'Wordfence ' . WORDFENCE_VERSION,
			'aud' => 'Wordfence Central',
			'nbf' => $now,
			'iat' => $now,
			'exp' => $now + self::JWT_TTL,
		);
	}

/**
	 * @param array $claims
	 */
	public function addClaims($claims) {
		if (!is_array($claims)) {
			throw new InvalidArgumentException(__METHOD__ . ' expects argument 1 to be array.');
		}
		$this->setClaims(array_merge($this->getClaims(), $claims));
	}

/**
	 * @return array
	 */
	public function getClaims() {
		return $this->claims;
	}

/**
	 * @param array $claims
	 */
	public function setClaims($claims) {
		$this->claims = $claims;
	}
}

class wfJWTException extends Exception {

}