I tried Exploit Scanner 1.0, and the missing hashes message is gone now. Thanks for fixing that!

No problem, and thanks 🙂 I try to get hash updates out within hours of a WordPress release but just delayed a bit this time for other reasons.

There are 13 severe messages, mostly eval messages, some base64_decode messages. Is this normal?

It depends on your choice of plugins — I assume some of the other plugins you are running are being flagged. I don’t have anything like that picked up on my installs except for testing the scanner.

All matches have to be interpreted in context. Those functions can be used for non-malicious purposes (otherwise they wouldn’t be provided by PHP!), but they are very common in malicious code which is why the plugin searches for them. If you have the understanding to look through at the plugin code (something I would do for any plugin I install) to see how these functions are used then it’s safe to ignore that output and use it as a baseline. If you’re seeing matches in modified core files or in previously unheard of locations (maybe hidden away in an innocuous file name in wp-includes) then you should be more worried.

Is the first one cause for concern?

Possibly yes. The scanner only looks in core files if they have been modified. However, I notice that you’re seeing class-ixr.php whereas that file is called class-IXR.php in 3.1 and the line that got highlighted was changed between 3.0 and 3.1 to remove the trim. So looks like something weird has happened there, although that line is fine.

The second one is just a comment, so I don’t know why it’s been flagged.

The scanner doesn’t make any distinction between file type, comments, etc. And php.ini isn’t a core WordPress file.

Done, sorry for the delay. Update notifications should be visible in dashboards soon.