This plugin will find preg_replace vulnerabilities. This PHP function is vulnerable when the user can control the regular expression or the content of the string being analyzed and the regular expression has the ‘e’ modifier. Right now this plugin will only find preg_replace vulnerabilities when PHP is configured to show errors, but a new version will find “blind” preg_replace errors.

Plugin type



This plugin doesn’t have any user configured options.


For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
github-logoPlugin source code
Unittest source code


This plugin depends on grep.error_500.