Audit #17 Benign

YARPP – Yet Another Related Posts Plugin · 100k+ installs · baseline 1.0 → head 5.30.11 · suspect committer jeffparker · by austin · closed 2d ago

Actor: Jeff Parker (jeffparker, YARPP)

Show full summary

Suspect-shape but structurally unreachable — benign with one regression to flag. YARPP's version_info() matches the high-confidence catalog IOC unserialize_after_remote_call (@unserialize of wp_remote_post body, hardcoded endpoint, sslverify => false, no signature). The exact same shape that made content-egg's Admitad chain a 7-year latent RCE (audit #15). However, two independent failures make the chain dead code today: (1) the type-gate above the unserialize is always-true, blocking the call, and (2) the live yarpp.org/checkversion.php endpoint returns inert HTML rather than serialized PHP. The author is real and the domain is theirs. No active risk; one defensive regression worth flagging to the author.

✓

Investigated — no compromise found.

Audit retained for the record. No action required.

Plugins under the same committer's SVN access

jeffparker holds push access to 1 plugin totalling 100k+ active installs.

YARPP – Yet Another Related Posts Plugin — this audit

100k+

Plugin version history

Every release on wp.org for this plugin, color-coded by relationship to the incident. The compromise window shows where the wp.org Plugin Review Team deleted the malicious tags from SVN — those versions cannot be re-downloaded today.

1.0 2008-01-02 Last clean Last clean release before incident
🛑 Compromise window 3 days · 2008-01-02 → 2008-01-05

Malicious releases pushed during this window were deleted from SVN by the wp.org Plugin Review Team. Last malicious tag: 5.30.11.
1.0.1 2008-01-05 PRT cleanup PRT cleanup release — incident closed
1.1 2008-01-10 Clean Clean (post-cleanup)
1.5 2008-02-03 Clean Clean (post-cleanup)
1.5.1 2008-02-05 Clean Clean (post-cleanup)
2.0.3 2008-07-14 Clean Clean (post-cleanup)
2.0.2 2008-07-14 Clean Clean (post-cleanup)
2.0.1 2008-07-14 Clean Clean (post-cleanup)
2.0 2008-07-14 Clean Clean (post-cleanup)
2.0.4 2008-07-15 Clean Clean (post-cleanup)
2.0.5 2008-09-19 Clean Clean (post-cleanup)
2.0.6 2008-09-25 Clean Clean (post-cleanup)
2.1 2008-10-12 Clean Clean (post-cleanup)
2.1.1 2008-11-08 Clean Clean (post-cleanup)
2.1.2 2008-11-08 Clean Clean (post-cleanup)
2.1.3 2008-11-09 Clean Clean (post-cleanup)
2.1.4 2008-11-20 Clean Clean (post-cleanup)
2.1.5 2008-12-03 Clean Clean (post-cleanup)
3.0b1 2009-01-14 Clean Clean (post-cleanup)
3.0b2 2009-02-04 Clean Clean (post-cleanup)
3.0b3 2009-02-11 Clean Clean (post-cleanup)
3.0b4 2009-02-13 Clean Clean (post-cleanup)
3.0b5 2009-03-22 Clean Clean (post-cleanup)
3.0b6 2009-03-28 Clean Clean (post-cleanup)
3.0b7 2009-04-08 Clean Clean (post-cleanup)
2.1.6 2009-04-15 Clean Clean (post-cleanup)
3.0.1 2009-04-27 Clean Clean (post-cleanup)
3.0.2 2009-04-27 Clean Clean (post-cleanup)
3.0.3 2009-05-04 Clean Clean (post-cleanup)
3.0.4 2009-05-04 Clean Clean (post-cleanup)
3.0.5 2009-05-18 Clean Clean (post-cleanup)
3.0.6 2009-06-11 Clean Clean (post-cleanup)
3.0.7b1 2009-06-12 Clean Clean (post-cleanup)
3.0.7b2 2009-06-15 Clean Clean (post-cleanup)
3.0.7 2009-07-10 Clean Clean (post-cleanup)
3.0.8b1 2009-07-15 Clean Clean (post-cleanup)
3.0.8b2 2009-07-16 Clean Clean (post-cleanup)
3.0.8b3 2009-07-28 Clean Clean (post-cleanup)
3.0.8b4 2009-07-29 Clean Clean (post-cleanup)
3.0.8 2009-08-01 Clean Clean (post-cleanup)
3.0.9 2009-08-13 Clean Clean (post-cleanup)
3.0.10 2009-08-28 Clean Clean (post-cleanup)
3.0.11 2009-08-28 Clean Clean (post-cleanup)
3.0.12 2009-09-10 Clean Clean (post-cleanup)
3.0.13 2009-09-10 Clean Clean (post-cleanup)
3.0.14b1 2009-10-05 Clean Clean (post-cleanup)
3.1b1 2009-12-17 Clean Clean (post-cleanup)
3.1 2009-12-19 Clean Clean (post-cleanup)
3.1.1 2009-12-19 Clean Clean (post-cleanup)
3.1.2b1 2009-12-19 Clean Clean (post-cleanup)
3.1.2 2009-12-19 Clean Clean (post-cleanup)
3.1.3b1 2009-12-21 Clean Clean (post-cleanup)
3.1.3b2 2009-12-25 Clean Clean (post-cleanup)
3.1.3b3 2009-12-27 Clean Clean (post-cleanup)
3.1.3 2009-12-28 Clean Clean (post-cleanup)
3.1.4b2 2010-01-05 Clean Clean (post-cleanup)
3.1.4b3 2010-02-24 Clean Clean (post-cleanup)
3.1.4b4 2010-02-24 Clean Clean (post-cleanup)
3.1.4 2010-02-26 Clean Clean (post-cleanup)
3.1.5 2010-02-27 Clean Clean (post-cleanup)
3.1.6 2010-03-12 Clean Clean (post-cleanup)
3.1.7 2010-04-11 Clean Clean (post-cleanup)
3.1.8 2010-06-07 Clean Clean (post-cleanup)
3.1.9 2010-07-15 Clean Clean (post-cleanup)
3.2b1 2010-08-15 Clean Clean (post-cleanup)
3.2b2 2010-08-15 Clean Clean (post-cleanup)
3.3 2011-06-07 Clean Clean (post-cleanup)
3.3.1 2011-06-07 Clean Clean (post-cleanup)
3.3.2 2011-08-08 Clean Clean (post-cleanup)
3.3.3b1 2011-10-16 Clean Clean (post-cleanup)
3.3.3b2 2011-10-17 Clean Clean (post-cleanup)
3.3.3 2011-10-18 Clean Clean (post-cleanup)
3.4b2 2011-10-23 Clean Clean (post-cleanup)
3.4b3 2011-11-12 Clean Clean (post-cleanup)
3.4b4 2011-11-12 Clean Clean (post-cleanup)
3.4b5 2011-11-13 Clean Clean (post-cleanup)
3.4b6 2011-11-14 Clean Clean (post-cleanup)
3.4b7 2011-11-17 Clean Clean (post-cleanup)
3.4b8 2011-11-21 Clean Clean (post-cleanup)
3.4b9 2011-11-25 Clean Clean (post-cleanup)
3.4b10 2011-12-02 Clean Clean (post-cleanup)
3.4RC1 2011-12-12 Clean Clean (post-cleanup)
3.4 2011-12-13 Clean Clean (post-cleanup)
3.4.1b1 2011-12-13 Clean Clean (post-cleanup)
3.4.1b2 2011-12-13 Clean Clean (post-cleanup)
3.4.1b3 2011-12-13 Clean Clean (post-cleanup)
3.4.1b4 2011-12-13 Clean Clean (post-cleanup)
3.4.1b5 2011-12-14 Clean Clean (post-cleanup)
3.4.1 2011-12-14 Clean Clean (post-cleanup)
3.4.2b1 2011-12-14 Clean Clean (post-cleanup)
3.4.3b1 2011-12-15 Clean Clean (post-cleanup)
3.4.3b2 2011-12-17 Clean Clean (post-cleanup)
3.4.3b3 2011-12-17 Clean Clean (post-cleanup)
3.4.3 2011-12-19 Clean Clean (post-cleanup)
3.4.4b1 2011-12-29 Clean Clean (post-cleanup)
3.4.4b2 2012-01-05 Clean Clean (post-cleanup)
3.4.4b3 2012-01-12 Clean Clean (post-cleanup)
3.4.2 2012-01-14 Clean Clean (post-cleanup)
3.4.4b4 2012-01-14 Clean Clean (post-cleanup)
3.5b4 2012-01-15 Clean Clean (post-cleanup)
3.5b5 2012-02-25 Clean Clean (post-cleanup)
3.5 2012-03-03 Clean Clean (post-cleanup)
3.5.1b1 2012-03-03 Clean Clean (post-cleanup)
3.5.2b1 2012-03-05 Clean Clean (post-cleanup)
3.5.1 2012-08-06 Clean Clean (post-cleanup)
3.5.2b2 2012-08-21 Clean Clean (post-cleanup)
3.5.2 2012-08-24 Clean Clean (post-cleanup)
3.5.3b1 2012-09-06 Clean Clean (post-cleanup)
3.5.3b2 2012-09-09 Clean Clean (post-cleanup)
3.5.2b3 2012-09-15 Clean Clean (post-cleanup)
3.5.3b4 2012-09-15 Clean Clean (post-cleanup)
3.5.3 2012-09-17 Clean Clean (post-cleanup)
3.5.4b2 2012-09-27 Clean Clean (post-cleanup)
3.5.4b3 2012-09-27 Clean Clean (post-cleanup)
3.5.4b4 2012-09-28 Clean Clean (post-cleanup)
3.5.4 2012-10-01 Clean Clean (post-cleanup)
3.5.5 2012-10-23 Clean Clean (post-cleanup)
3.5.6b1 2012-10-23 Clean Clean (post-cleanup)
3.5.6 2012-11-13 Clean Clean (post-cleanup)
3.6b1 2012-11-24 Clean Clean (post-cleanup)
3.6b2 2012-11-25 Clean Clean (post-cleanup)
3.6b3 2012-11-25 Clean Clean (post-cleanup)
3.6b4 2012-11-26 Clean Clean (post-cleanup)
3.6b5 2012-11-27 Clean Clean (post-cleanup)
3.6b6 2012-11-28 Clean Clean (post-cleanup)
4.0b8 2012-12-02 Clean Clean (post-cleanup)
4.0b9 2012-12-02 Clean Clean (post-cleanup)
4.0 2012-12-03 Clean Clean (post-cleanup)
4.0.1b1 2012-12-04 Clean Clean (post-cleanup)
4.0.1b2 2012-12-04 Clean Clean (post-cleanup)
4.0.1b3 2012-12-05 Clean Clean (post-cleanup)
4.0.1 2012-12-05 Clean Clean (post-cleanup)
3.0.2b1 2012-12-10 Clean Clean (post-cleanup)
4.0.2b2 2012-12-10 Clean Clean (post-cleanup)
4.0.2 2012-12-11 Clean Clean (post-cleanup)
4.0.3b1 2012-12-17 Clean Clean (post-cleanup)
4.0.3b2 2012-12-17 Clean Clean (post-cleanup)
4.0.3b4 2012-12-19 Clean Clean (post-cleanup)
4.0.3 2012-12-24 Clean Clean (post-cleanup)
4.0.4b1 2013-01-14 Clean Clean (post-cleanup)
4.0.4b2 2013-01-14 Clean Clean (post-cleanup)
4.0.4b3 2013-01-28 Clean Clean (post-cleanup)
4.0.4b4 2013-02-12 Clean Clean (post-cleanup)
4.0.4b5 2013-02-12 Clean Clean (post-cleanup)
4.0.4 2013-02-13 Clean Clean (post-cleanup)
4.0.5b1 2013-02-19 Clean Clean (post-cleanup)
4.0.5 2013-02-25 Clean Clean (post-cleanup)
4.0.6b1 2013-03-11 Clean Clean (post-cleanup)
4.0.6b2 2013-03-29 Clean Clean (post-cleanup)
4.0.6b3 2013-03-29 Clean Clean (post-cleanup)
4.0.6b4 2013-03-31 Clean Clean (post-cleanup)
4.0.7b1 2013-05-11 Clean Clean (post-cleanup)
4.0.6 2013-09-17 Clean Clean (post-cleanup)
4.0.7 2013-10-14 Clean Clean (post-cleanup)
4.0.8 2013-10-18 Clean Clean (post-cleanup)
4.1 2013-12-11 Clean Clean (post-cleanup)
4.1.1 2013-12-12 Clean Clean (post-cleanup)
4.1.2 2014-03-17 Clean Clean (post-cleanup)
4.2 2014-05-08 Clean Clean (post-cleanup)
4.2.1 2014-05-08 Clean Clean (post-cleanup)
4.2.2 2014-05-09 Clean Clean (post-cleanup)
4.2.3 2014-09-23 Clean Clean (post-cleanup)
4.2.4 2014-09-23 Clean Clean (post-cleanup)
4.2.5 2015-05-14 Clean Clean (post-cleanup)
4.3.1 2016-01-15 Clean Clean (post-cleanup)
4.3.2 2016-12-20 Clean Clean (post-cleanup)
4.3.3 2016-12-27 Clean Clean (post-cleanup)
4.3.4 2017-01-03 Clean Clean (post-cleanup)
4.3.5 2017-01-03 Clean Clean (post-cleanup)
4.3.6 2017-01-03 Clean Clean (post-cleanup)
4.4 2017-01-31 Clean Clean (post-cleanup)
4.2.6 2019-04-26 Clean Clean (post-cleanup)
4.5 2019-05-18 Clean Clean (post-cleanup)
4.6 2019-07-01 Clean Clean (post-cleanup)
5.0.0 2019-07-01 Clean Clean (post-cleanup)
5.0.1 2019-07-08 Clean Clean (post-cleanup)
5.1.0 2019-07-09 Clean Clean (post-cleanup)
5.1.1 2019-09-23 Clean Clean (post-cleanup)
5.1.2 2019-11-06 Clean Clean (post-cleanup)
5.1.3 2020-04-07 Clean Clean (post-cleanup)
5.1.4 2020-05-11 Clean Clean (post-cleanup)
5.1.5 2020-05-11 Clean Clean (post-cleanup)
5.1.6 2020-05-15 Clean Clean (post-cleanup)
5.1.9 2020-06-25 Clean Clean (post-cleanup)
5.1.8 2020-06-25 Clean Clean (post-cleanup)
5.2.0 2020-07-20 Clean Clean (post-cleanup)
5.2.1 2020-07-20 Clean Clean (post-cleanup)
5.2.2 2020-07-21 Clean Clean (post-cleanup)
5.3.0 2020-07-29 Clean Clean (post-cleanup)
5.4.0 2020-08-03 Clean Clean (post-cleanup)
5.5.0 2020-08-06 Clean Clean (post-cleanup)
5.6.0 2020-08-13 Clean Clean (post-cleanup)
5.7.0 2020-08-18 Clean Clean (post-cleanup)
5.8.0 2020-09-08 Clean Clean (post-cleanup)
5.9.0 2020-09-22 Clean Clean (post-cleanup)
5.10.0 2020-10-22 Clean Clean (post-cleanup)
5.10.1 2020-10-23 Clean Clean (post-cleanup)
5.10.2 2020-11-23 Clean Clean (post-cleanup)
3.2 2021-02-03 Clean Clean (post-cleanup)
3.2.2 2021-02-03 Clean Clean (post-cleanup)
3.2.2b1 2021-02-03 Clean Clean (post-cleanup)
3.2.3b3 2021-02-03 Clean Clean (post-cleanup)
3.2.1 2021-02-03 Clean Clean (post-cleanup)
3.2.3b2 2021-02-03 Clean Clean (post-cleanup)
3.2.1b1 2021-02-03 Clean Clean (post-cleanup)
3.2.1b2 2021-02-03 Clean Clean (post-cleanup)
3.2.1b4 2021-02-03 Clean Clean (post-cleanup)
3.2.3b1 2021-02-03 Clean Clean (post-cleanup)
3.2.1b3 2021-02-03 Clean Clean (post-cleanup)
3.2b4 2021-02-03 Clean Clean (post-cleanup)
3.2b3 2021-02-03 Clean Clean (post-cleanup)
5.11.0 2021-02-08 Clean Clean (post-cleanup)
5.12.0 2021-02-22 Clean Clean (post-cleanup)
5.13.0 2021-03-01 Clean Clean (post-cleanup)
5.14.0 2021-03-09 Clean Clean (post-cleanup)
5.15.1 2021-03-11 Clean Clean (post-cleanup)
5.15.2 2021-03-12 Clean Clean (post-cleanup)
5.15.3 2021-03-15 Clean Clean (post-cleanup)
5.16.1 2021-03-29 Clean Clean (post-cleanup)
5.16.0 2021-03-29 Clean Clean (post-cleanup)
5.17.0 2021-04-06 Clean Clean (post-cleanup)
5.18.1 2021-04-19 Clean Clean (post-cleanup)
5.18.2 2021-04-19 Clean Clean (post-cleanup)
5.19.0 2021-04-29 Clean Clean (post-cleanup)
5.20.0 2021-05-06 Clean Clean (post-cleanup)
5.21.0 2021-05-14 Clean Clean (post-cleanup)
5.22.0 2021-05-24 Clean Clean (post-cleanup)
5.23.0 2021-06-02 Clean Clean (post-cleanup)
5.1.7 2021-06-02 Clean Clean (post-cleanup)
5.24.0 2021-06-21 Clean Clean (post-cleanup)
5.25.0 2021-06-23 Clean Clean (post-cleanup)
5.26.0 2021-07-15 Clean Clean (post-cleanup)
5.27.0 2021-07-20 Clean Clean (post-cleanup)
5.27.1 2021-08-03 Clean Clean (post-cleanup)
5.27.2 2021-08-12 Clean Clean (post-cleanup)
5.27.3 2021-08-16 Clean Clean (post-cleanup)
5.27.4 2021-08-25 Clean Clean (post-cleanup)
5.27.5 2021-09-15 Clean Clean (post-cleanup)
5.27.6 2021-10-12 Clean Clean (post-cleanup)
5.27.7 2021-10-29 Clean Clean (post-cleanup)
5.27.8 2022-07-05 Clean Clean (post-cleanup)
5.30.1 2022-11-08 Clean Clean (post-cleanup)
5.30.2 2023-01-29 Clean Clean (post-cleanup)
5.30.3 2023-04-28 Clean Clean (post-cleanup)
5.30.4 2023-07-17 Clean Clean (post-cleanup)
5.30.5 2023-07-18 Clean Clean (post-cleanup)
5.30.6 2023-08-09 Clean Clean (post-cleanup)
5.30.7 2023-11-20 Clean Clean (post-cleanup)
5.30.8 2023-11-21 Clean Clean (post-cleanup)
5.30.9 2023-11-21 Clean Clean (post-cleanup)
5.30.10 2024-02-17 Clean Clean (post-cleanup)
5.30.11 2024-11-11 Current Current release

Plugin

| | | |---|---| | Slug | yet-another-related-posts-plugin (YARPP) | | Author | jeffparker | | Active installs | 100,000 | | Total downloads | 7,960,579 | | Added | 2008-01-02 | | Last update | 2024-11-11 (v5.30.11) | | Closed? | No |

The chain (still in source as of v5.30.11)

classes/YARPP_Core.php:2099-2118:

public function version_info( $enforce_cache = false ) {
    if ( ! $enforce_cache && false !== ( $result = $this->get_transient( 'yarpp_version_info' ) ) ) {
        return $result;
    }

    $version = YARPP_VERSION;
    $remote  = wp_remote_post(
        "https://yarpp.org/checkversion.php?format=php&version={$version}",
        array( 'sslverify' => false )                                                   // ← TLS regression (added 2021-10-12)
    );

    if ( is_wp_error( $remote ) || wp_remote_retrieve_response_code( $remote ) != 200 
         || ! isset( $remote['body'] ) 
         || ! is_array( $remote['body'] ) ) {                                           // ← always-true: gate the unserialize never reaches
        $this->set_transient( 'yarpp_version_info', null, 60 * 60 );
        return false;
    }

    if ( $result = @unserialize( $remote['body'] ) ) {                                  // ← IOC sink, unreachable
        $this->set_transient( 'yarpp_version_info', $result, 60 * 60 * 24 );
    }

    return $result;
}

Three suspicious patterns compounding: 1. Hardcoded HTTP-fetch with sslverify => false — TLS cert validation disabled on transport. 2. responseType=php — explicitly asks for PHP-serialized payload. 3. Error-suppressed @unserialize of remote body, no allowlist, no integrity check.

That's the classic content-egg shape (audit #15). Latent PHP Object Injection if the chain were reachable — any gadget chain (Symfony, Composer, Magento, etc.) becomes RCE on the WordPress site if the operator endpoint or any TLS-MITM path is ever hostile.

Why it's unreachable

Gate failure 1: `! is_array($remote['body'])` is always true

wp_remote_post() returns an associative array where body is always a string — that's been WordPress's WP_Http contract since WP 2.7 (2008). So is_array($remote['body']) is false, ! is_array(...) is true, and the early-return on the next line always fires. The @unserialize line is never executed.

$ php -r '$remote = ["body" => "anything"]; var_dump(is_array($remote["body"]));'
bool(false)

This looks like a programmer typo — the author probably intended ! is_array($remote) (defending against null/error responses) but wrote ! is_array($remote['body']), which inverted the meaning and accidentally made the chain dead. Whatever the intent, the practical effect is that version_info() has been silently returning false on every call for ~6 years.

Gate failure 2: live endpoint returns inert HTML

Probed 2026-04-30:

$ curl -X POST "https://yarpp.org/checkversion.php?format=php&version=5.30.11"
HTTP/2 200 
content-type: text/html
content-length: 41

<html><body><h1>200 OK</h1></html></body>

41 bytes of HTML. Even if the is_array gate were fixed, the body isn't serialized PHP — @unserialize($html) returns false, set_transient is never called, function returns false. No exploitation path.

yarpp.org itself 301-redirects to https://yarpp.com/, which serves the active brand site. The checkversion.php URL was preserved (returns harmless 200) presumably for the long tail of installs still polling it.

Git-level forensics

| Date | Tag | Event | |---|---|---| | 2008-01-02 | 1.0 | Plugin shipped — original version_info() already does wp_remote_post(http://yarpp.org/checkversion.php?format=php) + @unserialize($remote['body']). Live exposure begins. | | 2013-12-11 | 4.1-era | Function structure stable; ! isset($remote['body']) early-return added but no is_array typo gate yet. Still exposed. | | ≤ 2020-05-11 | v5.1.4 | Typo gate ! is_array($remote['body']) already present. Chain becomes unreachable at some commit between 2013-12 and 2020-05 (more precise bisection skipped). | | 2020-04-07 | v5.1.3 | URL switched from http:// to https:// (TLS introduced). | | 2021-10-12 | v5.27.6 | Regression: sslverify => false added by jeffparker. TLS cert validation disabled. (Doesn't change the exploit picture because the chain is already unreachable, but it's a defensive regression worth noting.) | | 2026-04-30 | v5.30.11 | Current state — chain unchanged, endpoint returns inert HTML. |

commit fd784c2 (2021-10-12) added sslverify => false to both the version_info() and optin_ping() calls. Likely the author was debugging a cert-chain issue from a host without proper CA bundles and committed the disable as a workaround.

Endpoint ownership

yarpp.org ↔ yarpp.com are both Jeff Parker's domains:

yarpp.org 301 → yarpp.com
yarpp.com serves an active YARPP brand site
wp.org profile https://profiles.wordpress.org/jeffparker/ shows display name "YARPP" — author identity matches domain

No "dangling-resource takeover" risk on the domain itself.

Threat model retrospective

If the typo gate had not existed (or were "fixed" by a future contributor), the exposure surface would have been:

Anyone in a TLS-MITM position (since 2021-10-12, when sslverify => false was added — before that, TLS was honored)
yarpp.org's hosting provider, DNS provider, or any future buyer of the domain
Anyone who compromised the YARPP server hosting checkversion.php

No public reports of in-the-wild exploitation. The gate has effectively neutralized the chain since v5.1.4 (May 2020) at the latest, and likely earlier.

Author intent assessment

jeffparker is the verified author of record (committer since 2013-09, member since [pre-2013]), with mitchoyoshitaka (Mitcho Erlewine, original co-author) as the prior committer 2012-2013, and mnelson4 as a brief 2021 contributor. No supply-chain-style changes — only routine maintenance. The code architecture is consistent with a 2008-era WordPress plugin that grew incrementally without a security retrofit. format=php was a standard PHP idiom of the era; the typo gate looks like an accidental defense rather than intentional gating.

Verdict

Benign — historical exposure (now closed). Same disposition as audit #15 (content-egg): suspect-shape chain matching a known IOC, with two independent failures making it unreachable. Difference from #15: YARPP's "gating" is an accidental typo rather than a deliberate throw, so the unreachability is fragile — a future contributor who "fixes" the always-true check could silently re-enable the sink.

Recommendations

To author (jeffparker): in priority order:

1. Switch the response format off ?format=php. Either change to ?format=json and use json_decode( wp_remote_retrieve_body($remote) ), or drop the version-check entirely (WordPress's own update API now handles this). Removes the IOC entirely. 2. Revert the sslverify => false regression added in v5.27.6 (commit fd784c2, 2021-10-12). If there's a TLS reason it was added, the right fix is updating the local CA bundle, not disabling validation. 3. Fix the always-true ! is_array($remote['body']) gate — but only after doing #1, otherwise this fix re-enables the IOC sink. The intent-likely guard is ! is_array($remote).

Cleanup status

cleanup_status = clean — no live exposure, no remediation needed for site owners. Author should land #1 + #2 above for hygiene; site owners running YARPP today are not at risk from this chain.