Hi Robert,
We added detection recently for malware that was using str_replace along with lambda functions e.g. $myVarContainingFunctionName();
The hope was that very few legit plugins/themes would have str_replace and a lambda call on the same line. Turns out we were wrong, so we fixed it with a server update. So all Wordfence scans won't produce these false positives anymore and the issue is now fixed.
You can ask your customer to simply rescan and the issue will disappear from the list.
Regards,
Mark.