Audit #18 Benign

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services · 6k+ installs · baseline 0.9.0 → head 8.2.4 · suspect committer quantumcloud · by austin · closed 2d ago

Actor: QuantumCloud (quantumcloud)

Show full summary

Suspect-shape but multiply-unreachable dead code — benign. WPBot's includes/openai/plugin-upgrader/ and includes/integration/openai/plugin-upgrader/ directories ship a self-update class (QCLD_openaiaddon_AutoUpdate) whose getRemote() method matches the high-confidence catalog IOC unserialize_after_remote_call (the exact shape behind audits #12 scroll-top, #15 content-egg). The chain is structurally unreachable today through five independent failures, the most consequential of which is that the entire plugin-upgrader/ subtree is never loaded by any other file in the plugin — orphan code shipped in 6,000 active installs since v4.3.7 (2023-02-07). No active risk; recommendation is to delete the directories.

✓

Investigated — no compromise found.

Audit retained for the record. No action required.

Plugins under the same committer's SVN access

quantumcloud holds push access to 11 plugins totalling 25k+ active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services — this audit

6k+

Comment Link Remove and Other Comment Tools — clean code, same SVN account (latent risk)

8k+

Slider Hero with Video Background, Animation — clean code, same SVN account (latent risk)

3k+

ChatBot Conversational Forms — clean code, same SVN account (latent risk)

2k+

Simple Link Directory — clean code, same SVN account (latent risk)

2k+

Tabbed Category Product Listing for Woocommerce — clean code, same SVN account (latent risk)

1k+

ChatBot for eCommerce – WoowBot — clean code, same SVN account (latent risk)

1k+

AI Infographic Maker — clean code, same SVN account (latent risk)

700

iChart – Easy Charts and Graphs — clean code, same SVN account (latent risk)

400

Logo or Image Replace by mycore.global — clean code, same SVN account (latent risk)

400

Voice Audio Widgets – Voice recorder with Forms, AI Powered STT, TTS, Transcriptions, Language Teaching — clean code, same SVN account (latent risk)

400

Plugin version history

Every release on wp.org for this plugin, color-coded by relationship to the incident. The compromise window shows where the wp.org Plugin Review Team deleted the malicious tags from SVN — those versions cannot be re-downloaded today.

0.9.0 2018-08-30 Last clean Last clean release before incident
🛑 Compromise window 13 days · 2018-08-30 → 2018-09-12

Malicious releases pushed during this window were deleted from SVN by the wp.org Plugin Review Team. Last malicious tag: 8.2.4.
1.0.0 2018-09-12 PRT cleanup PRT cleanup release — incident closed
1.1.0 2018-09-18 Clean Clean (post-cleanup)
1.1.5 2018-09-18 Clean Clean (post-cleanup)
1.2.0 2018-09-19 Clean Clean (post-cleanup)
1.3.0 2018-09-26 Clean Clean (post-cleanup)
1.5.0 2018-10-08 Clean Clean (post-cleanup)
1.6.0 2018-10-18 Clean Clean (post-cleanup)
1.7.0 2018-11-02 Clean Clean (post-cleanup)
1.8.0 2018-12-10 Clean Clean (post-cleanup)
1.9.0 2019-02-11 Clean Clean (post-cleanup)
2.0.0 2019-02-12 Clean Clean (post-cleanup)
2.1.0 2019-05-02 Clean Clean (post-cleanup)
2.2.0 2019-05-24 Clean Clean (post-cleanup)
2.3.0 2019-05-27 Clean Clean (post-cleanup)
2.4.0 2019-05-31 Clean Clean (post-cleanup)
2.5.0 2019-06-02 Clean Clean (post-cleanup)
2.6.0 2019-06-02 Clean Clean (post-cleanup)
2.7.0 2019-06-11 Clean Clean (post-cleanup)
2.8.0 2019-06-11 Clean Clean (post-cleanup)
2.9.0 2019-07-02 Clean Clean (post-cleanup)
2.9.1 2019-07-24 Clean Clean (post-cleanup)
2.9.2 2019-08-15 Clean Clean (post-cleanup)
2.9.3 2019-08-16 Clean Clean (post-cleanup)
2.9.4 2019-08-19 Clean Clean (post-cleanup)
2.9.5 2019-08-26 Clean Clean (post-cleanup)
2.9.6 2019-09-10 Clean Clean (post-cleanup)
3.0.0 2019-09-12 Clean Clean (post-cleanup)
3.0.1 2019-09-26 Clean Clean (post-cleanup)
3.1.0 2019-10-03 Clean Clean (post-cleanup)
3.2.0 2019-10-23 Clean Clean (post-cleanup)
3.2.1 2019-10-31 Clean Clean (post-cleanup)
3.2.2 2019-11-19 Clean Clean (post-cleanup)
3.2.3 2019-11-20 Clean Clean (post-cleanup)
3.2.5 2019-12-05 Clean Clean (post-cleanup)
3.2.6 2020-01-23 Clean Clean (post-cleanup)
3.2.7 2020-01-31 Clean Clean (post-cleanup)
3.2.8 2020-02-19 Clean Clean (post-cleanup)
3.2.9 2020-03-12 Clean Clean (post-cleanup)
3.3.0 2020-03-16 Clean Clean (post-cleanup)
3.3.1 2020-03-17 Clean Clean (post-cleanup)
3.3.2 2020-03-18 Clean Clean (post-cleanup)
3.3.3 2020-03-23 Clean Clean (post-cleanup)
3.3.4 2020-03-25 Clean Clean (post-cleanup)
3.3.5 2020-04-01 Clean Clean (post-cleanup)
3.3.6 2020-04-08 Clean Clean (post-cleanup)
3.3.7 2020-04-20 Clean Clean (post-cleanup)
3.3.8 2020-04-21 Clean Clean (post-cleanup)
3.3.9 2020-04-29 Clean Clean (post-cleanup)
3.4.0 2020-05-15 Clean Clean (post-cleanup)
3.4.1 2020-06-01 Clean Clean (post-cleanup)
3.4.2 2020-07-02 Clean Clean (post-cleanup)
3.4.3 2020-07-08 Clean Clean (post-cleanup)
3.4.4 2020-07-09 Clean Clean (post-cleanup)
3.4.5 2020-07-15 Clean Clean (post-cleanup)
3.4.6 2020-07-23 Clean Clean (post-cleanup)
3.4.7 2020-08-14 Clean Clean (post-cleanup)
3.4.8 2020-08-21 Clean Clean (post-cleanup)
3.4.9 2020-09-18 Clean Clean (post-cleanup)
3.5.0 2020-09-25 Clean Clean (post-cleanup)
3.5.1 2020-09-26 Clean Clean (post-cleanup)
3.5.2 2020-10-01 Clean Clean (post-cleanup)
3.5.3 2020-10-08 Clean Clean (post-cleanup)
3.5.4 2020-10-23 Clean Clean (post-cleanup)
3.5.5 2020-10-23 Clean Clean (post-cleanup)
3.5.6 2020-10-30 Clean Clean (post-cleanup)
3.5.7 2020-11-12 Clean Clean (post-cleanup)
3.5.8 2020-11-14 Clean Clean (post-cleanup)
3.5.9 2020-11-20 Clean Clean (post-cleanup)
3.6.0 2020-11-20 Clean Clean (post-cleanup)
3.6.1 2020-11-23 Clean Clean (post-cleanup)
3.6.2 2020-11-24 Clean Clean (post-cleanup)
3.6.3 2020-12-08 Clean Clean (post-cleanup)
3.6.4 2020-12-11 Clean Clean (post-cleanup)
3.6.5 2021-01-01 Clean Clean (post-cleanup)
3.6.6 2021-01-06 Clean Clean (post-cleanup)
3.6.7 2021-01-14 Clean Clean (post-cleanup)
3.6.8 2021-01-19 Clean Clean (post-cleanup)
3.6.9 2021-01-19 Clean Clean (post-cleanup)
3.7.0 2021-02-03 Clean Clean (post-cleanup)
3.7.1 2021-02-09 Clean Clean (post-cleanup)
3.7.2 2021-02-15 Clean Clean (post-cleanup)
3.7.3 2021-03-17 Clean Clean (post-cleanup)
3.7.4 2021-03-18 Clean Clean (post-cleanup)
3.7.5 2021-04-01 Clean Clean (post-cleanup)
3.7.6 2021-04-08 Clean Clean (post-cleanup)
3.7.7 2021-04-19 Clean Clean (post-cleanup)
3.7.8 2021-04-26 Clean Clean (post-cleanup)
3.7.9 2021-05-11 Clean Clean (post-cleanup)
3.8.0 2021-05-21 Clean Clean (post-cleanup)
3.8.1 2021-05-24 Clean Clean (post-cleanup)
3.8.2 2021-07-28 Clean Clean (post-cleanup)
3.8.3 2021-09-02 Clean Clean (post-cleanup)
3.8.5 2021-10-20 Clean Clean (post-cleanup)
3.8.9 2021-11-23 Clean Clean (post-cleanup)
3.9.0 2021-11-23 Clean Clean (post-cleanup)
3.9.1 2021-12-17 Clean Clean (post-cleanup)
3.9.2 2022-01-05 Clean Clean (post-cleanup)
3.9.3 2022-01-27 Clean Clean (post-cleanup)
3.9.4 2022-02-10 Clean Clean (post-cleanup)
3.9.5 2022-03-01 Clean Clean (post-cleanup)
3.9.6 2022-03-02 Clean Clean (post-cleanup)
3.9.7 2022-03-09 Clean Clean (post-cleanup)
3.9.8 2022-03-17 Clean Clean (post-cleanup)
3.9.9 2022-03-29 Clean Clean (post-cleanup)
4.0.1 2022-04-05 Clean Clean (post-cleanup)
4.0.2 2022-04-08 Clean Clean (post-cleanup)
4.0.3 2022-04-11 Clean Clean (post-cleanup)
4.0.4 2022-04-11 Clean Clean (post-cleanup)
4.0.5 2022-04-22 Clean Clean (post-cleanup)
4.0.6 2022-04-27 Clean Clean (post-cleanup)
4.0.7 2022-05-24 Clean Clean (post-cleanup)
4.0.8 2022-05-26 Clean Clean (post-cleanup)
4.0.9 2022-06-01 Clean Clean (post-cleanup)
4.1.0 2022-06-10 Clean Clean (post-cleanup)
4.1.1 2022-06-14 Clean Clean (post-cleanup)
4.1.2 2022-08-02 Clean Clean (post-cleanup)
4.1.3 2022-08-04 Clean Clean (post-cleanup)
4.1.4 2022-08-25 Clean Clean (post-cleanup)
4.1.5 2022-08-30 Clean Clean (post-cleanup)
4.1.8 2022-10-18 Clean Clean (post-cleanup)
4.1.9 2022-10-27 Clean Clean (post-cleanup)
4.2.0 2022-10-28 Clean Clean (post-cleanup)
4.2.1 2022-10-28 Clean Clean (post-cleanup)
4.2.2 2022-11-03 Clean Clean (post-cleanup)
4.2.3 2022-11-08 Clean Clean (post-cleanup)
4.2.4 2022-11-09 Clean Clean (post-cleanup)
4.2.5 2022-12-07 Clean Clean (post-cleanup)
4.2.6 2022-12-21 Clean Clean (post-cleanup)
4.2.7 2023-01-04 Clean Clean (post-cleanup)
4.2.8 2023-01-09 Clean Clean (post-cleanup)
4.2.9 2023-01-09 Clean Clean (post-cleanup)
4.3.0 2023-01-10 Clean Clean (post-cleanup)
4.3.1 2023-01-11 Clean Clean (post-cleanup)
4.3.2 2023-01-24 Clean Clean (post-cleanup)
4.3.3 2023-01-25 Clean Clean (post-cleanup)
4.3.4 2023-01-26 Clean Clean (post-cleanup)
4.3.7 2023-02-07 Clean Clean (post-cleanup)
4.3.8 2023-02-10 Clean Clean (post-cleanup)
4.3.9 2023-02-13 Clean Clean (post-cleanup)
4.4.0 2023-02-19 Clean Clean (post-cleanup)
4.4.1 2023-02-24 Clean Clean (post-cleanup)
4.4.2 2023-02-28 Clean Clean (post-cleanup)
4.4.3 2023-03-20 Clean Clean (post-cleanup)
4.4.4 2023-03-23 Clean Clean (post-cleanup)
4.4.5 2023-03-25 Clean Clean (post-cleanup)
4.4.6 2023-03-27 Clean Clean (post-cleanup)
4.4.7 2023-03-28 Clean Clean (post-cleanup)
4.4.8 2023-03-29 Clean Clean (post-cleanup)
4.4.9 2023-04-05 Clean Clean (post-cleanup)
4.5.1 2023-04-12 Clean Clean (post-cleanup)
4.5.2 2023-05-03 Clean Clean (post-cleanup)
4.5.3 2023-05-11 Clean Clean (post-cleanup)
4.5.4 2023-05-12 Clean Clean (post-cleanup)
4.5.5 2023-05-18 Clean Clean (post-cleanup)
4.5.6 2023-05-25 Clean Clean (post-cleanup)
4.5.7 2023-05-25 Clean Clean (post-cleanup)
4.5.8 2023-05-31 Clean Clean (post-cleanup)
4.5.9 2023-06-02 Clean Clean (post-cleanup)
4.6.0 2023-06-06 Clean Clean (post-cleanup)
4.6.1 2023-06-13 Clean Clean (post-cleanup)
4.6.2 2023-06-13 Clean Clean (post-cleanup)
4.6.3 2023-06-14 Clean Clean (post-cleanup)
4.6.5 2023-06-16 Clean Clean (post-cleanup)
4.6.6 2023-06-16 Clean Clean (post-cleanup)
4.6.7 2023-06-19 Clean Clean (post-cleanup)
4.6.8 2023-06-20 Clean Clean (post-cleanup)
4.6.9 2023-06-22 Clean Clean (post-cleanup)
4.7.0 2023-07-06 Clean Clean (post-cleanup)
4.7.1 2023-07-07 Clean Clean (post-cleanup)
4.7.2 2023-07-11 Clean Clean (post-cleanup)
4.7.3 2023-07-12 Clean Clean (post-cleanup)
4.7.4 2023-07-20 Clean Clean (post-cleanup)
4.7.5 2023-07-26 Clean Clean (post-cleanup)
4.7.6 2023-07-26 Clean Clean (post-cleanup)
4.7.7 2023-07-31 Clean Clean (post-cleanup)
4.7.8 2023-08-09 Clean Clean (post-cleanup)
4.7.9 2023-08-17 Clean Clean (post-cleanup)
4.8.0 2023-08-18 Clean Clean (post-cleanup)
4.8.1 2023-08-21 Clean Clean (post-cleanup)
4.8.2 2023-08-23 Clean Clean (post-cleanup)
4.8.3 2023-08-29 Clean Clean (post-cleanup)
4.8.4 2023-09-01 Clean Clean (post-cleanup)
4.8.5 2023-09-06 Clean Clean (post-cleanup)
4.8.6 2023-09-13 Clean Clean (post-cleanup)
4.8.7 2023-09-14 Clean Clean (post-cleanup)
4.8.8 2023-09-14 Clean Clean (post-cleanup)
4.8.9 2023-09-15 Clean Clean (post-cleanup)
4.9.1 2023-10-11 Clean Clean (post-cleanup)
4.9.2 2023-10-18 Clean Clean (post-cleanup)
4.9.3 2023-10-19 Clean Clean (post-cleanup)
4.9.4 2023-10-24 Clean Clean (post-cleanup)
4.9.5 2023-10-25 Clean Clean (post-cleanup)
4.9.6 2023-10-30 Clean Clean (post-cleanup)
4.9.7 2023-11-01 Clean Clean (post-cleanup)
4.9.8 2023-11-06 Clean Clean (post-cleanup)
4.9.9 2023-11-08 Clean Clean (post-cleanup)
5.0.1 2023-11-17 Clean Clean (post-cleanup)
5.0.2 2023-11-24 Clean Clean (post-cleanup)
5.0.3 2023-11-28 Clean Clean (post-cleanup)
5.0.4 2023-11-28 Clean Clean (post-cleanup)
5.0.5 2023-12-05 Clean Clean (post-cleanup)
5.0.6 2023-12-08 Clean Clean (post-cleanup)
5.0.7 2023-12-20 Clean Clean (post-cleanup)
5.0.9 2023-12-29 Clean Clean (post-cleanup)
5.1.0 2023-12-29 Clean Clean (post-cleanup)
5.1.1 2024-01-04 Clean Clean (post-cleanup)
5.1.2 2024-01-09 Clean Clean (post-cleanup)
5.1.3 2024-01-19 Clean Clean (post-cleanup)
5.1.4 2024-01-31 Clean Clean (post-cleanup)
5.1.5 2024-02-06 Clean Clean (post-cleanup)
5.1.6 2024-02-09 Clean Clean (post-cleanup)
5.1.7 2024-02-28 Clean Clean (post-cleanup)
5.1.8 2024-03-08 Clean Clean (post-cleanup)
5.1.9 2024-03-15 Clean Clean (post-cleanup)
5.2.0 2024-03-22 Clean Clean (post-cleanup)
5.2.1 2024-03-27 Clean Clean (post-cleanup)
5.2.2 2024-04-04 Clean Clean (post-cleanup)
5.2.3 2024-04-05 Clean Clean (post-cleanup)
5.2.4 2024-04-09 Clean Clean (post-cleanup)
5.2.5 2024-04-15 Clean Clean (post-cleanup)
5.2.6 2024-04-17 Clean Clean (post-cleanup)
5.2.7 2024-04-25 Clean Clean (post-cleanup)
5.2.8 2024-04-26 Clean Clean (post-cleanup)
5.2.9 2024-04-29 Clean Clean (post-cleanup)
5.3.0 2024-04-30 Clean Clean (post-cleanup)
5.3.1 2024-05-09 Clean Clean (post-cleanup)
5.3.2 2024-05-09 Clean Clean (post-cleanup)
5.3.3 2024-05-10 Clean Clean (post-cleanup)
5.3.4 2024-05-17 Clean Clean (post-cleanup)
5.3.6 2024-05-20 Clean Clean (post-cleanup)
5.3.7 2024-05-26 Clean Clean (post-cleanup)
5.3.8 2024-05-27 Clean Clean (post-cleanup)
5.3.9 2024-05-29 Clean Clean (post-cleanup)
5.4.1 2024-05-30 Clean Clean (post-cleanup)
5.4.2 2024-05-31 Clean Clean (post-cleanup)
5.4.3 2024-06-10 Clean Clean (post-cleanup)
5.4.4 2024-06-11 Clean Clean (post-cleanup)
5.4.5 2024-06-12 Clean Clean (post-cleanup)
5.4.6 2024-06-13 Clean Clean (post-cleanup)
5.4.7 2024-06-14 Clean Clean (post-cleanup)
5.4.8 2024-06-14 Clean Clean (post-cleanup)
5.4.9 2024-06-24 Clean Clean (post-cleanup)
5.5.0 2024-06-26 Clean Clean (post-cleanup)
5.5.1 2024-06-28 Clean Clean (post-cleanup)
5.5.2 2024-07-01 Clean Clean (post-cleanup)
5.5.3 2024-07-03 Clean Clean (post-cleanup)
5.5.4 2024-07-05 Clean Clean (post-cleanup)
5.5.5 2024-07-09 Clean Clean (post-cleanup)
5.5.6 2024-07-12 Clean Clean (post-cleanup)
5.5.7 2024-07-12 Clean Clean (post-cleanup)
5.5.8 2024-07-25 Clean Clean (post-cleanup)
5.5.9 2024-07-26 Clean Clean (post-cleanup)
5.6.0 2024-07-30 Clean Clean (post-cleanup)
5.6.1 2024-08-02 Clean Clean (post-cleanup)
5.6.2 2024-08-07 Clean Clean (post-cleanup)
5.6.3 2024-08-16 Clean Clean (post-cleanup)
5.6.4 2024-08-19 Clean Clean (post-cleanup)
5.6.6 2024-08-23 Clean Clean (post-cleanup)
5.6.7 2024-08-26 Clean Clean (post-cleanup)
5.6.9 2024-08-30 Clean Clean (post-cleanup)
5.7.0 2024-09-02 Clean Clean (post-cleanup)
5.7.1 2024-09-03 Clean Clean (post-cleanup)
5.7.2 2024-09-04 Clean Clean (post-cleanup)
5.7.4 2024-09-06 Clean Clean (post-cleanup)
5.7.3 2024-09-09 Clean Clean (post-cleanup)
5.7.5 2024-09-09 Clean Clean (post-cleanup)
5.7.6 2024-09-11 Clean Clean (post-cleanup)
5.7.7 2024-09-13 Clean Clean (post-cleanup)
5.7.8 2024-09-16 Clean Clean (post-cleanup)
5.7.9 2024-09-18 Clean Clean (post-cleanup)
5.8.0 2024-09-20 Clean Clean (post-cleanup)
5.8.1 2024-09-25 Clean Clean (post-cleanup)
5.8.3 2024-10-02 Clean Clean (post-cleanup)
5.8.4 2024-10-02 Clean Clean (post-cleanup)
5.8.5 2024-10-07 Clean Clean (post-cleanup)
5.8.6 2024-10-09 Clean Clean (post-cleanup)
5.8.7 2024-10-14 Clean Clean (post-cleanup)
5.8.8 2024-10-16 Clean Clean (post-cleanup)
5.8.9 2024-10-21 Clean Clean (post-cleanup)
5.9.0 2024-10-23 Clean Clean (post-cleanup)
5.9.1 2024-10-24 Clean Clean (post-cleanup)
5.9.2 2024-10-28 Clean Clean (post-cleanup)
5.9.3 2024-10-29 Clean Clean (post-cleanup)
5.9.4 2024-10-31 Clean Clean (post-cleanup)
5.9.5 2024-11-05 Clean Clean (post-cleanup)
5.9.6 2024-11-11 Clean Clean (post-cleanup)
5.9.7 2024-11-14 Clean Clean (post-cleanup)
5.9.8 2024-11-14 Clean Clean (post-cleanup)
5.9.9 2024-11-19 Clean Clean (post-cleanup)
6.0.0 2024-11-22 Clean Clean (post-cleanup)
6.0.1 2024-11-26 Clean Clean (post-cleanup)
6.0.2 2024-11-29 Clean Clean (post-cleanup)
6.0.3 2024-12-02 Clean Clean (post-cleanup)
6.0.4 2024-12-03 Clean Clean (post-cleanup)
6.0.5 2024-12-05 Clean Clean (post-cleanup)
6.0.6 2024-12-06 Clean Clean (post-cleanup)
6.0.7 2024-12-11 Clean Clean (post-cleanup)
6.0.8 2024-12-17 Clean Clean (post-cleanup)
6.0.9 2024-12-18 Clean Clean (post-cleanup)
6.1.1 2024-12-19 Clean Clean (post-cleanup)
6.1.2 2024-12-20 Clean Clean (post-cleanup)
6.1.3 2024-12-24 Clean Clean (post-cleanup)
6.1.4 2024-12-26 Clean Clean (post-cleanup)
6.1.5 2024-12-30 Clean Clean (post-cleanup)
6.1.6 2024-12-31 Clean Clean (post-cleanup)
6.1.7 2025-01-02 Clean Clean (post-cleanup)
6.1.8 2025-01-07 Clean Clean (post-cleanup)
6.1.9 2025-01-08 Clean Clean (post-cleanup)
6.2.1 2025-01-10 Clean Clean (post-cleanup)
6.2.2 2025-01-14 Clean Clean (post-cleanup)
6.2.4 2025-01-16 Clean Clean (post-cleanup)
6.2.5 2025-01-17 Clean Clean (post-cleanup)
6.2.6 2025-01-21 Clean Clean (post-cleanup)
6.2.7 2025-01-23 Clean Clean (post-cleanup)
6.2.8 2025-01-28 Clean Clean (post-cleanup)
6.3.0 2025-01-30 Clean Clean (post-cleanup)
6.3.1 2025-01-31 Clean Clean (post-cleanup)
6.3.2 2025-02-03 Clean Clean (post-cleanup)
6.3.3 2025-02-07 Clean Clean (post-cleanup)
6.3.4 2025-02-11 Clean Clean (post-cleanup)
6.3.5 2025-02-13 Clean Clean (post-cleanup)
6.3.6 2025-02-18 Clean Clean (post-cleanup)
6.3.7 2025-02-25 Clean Clean (post-cleanup)
6.3.8 2025-02-27 Clean Clean (post-cleanup)
6.3.9 2025-03-04 Clean Clean (post-cleanup)
6.4.1 2025-03-06 Clean Clean (post-cleanup)
6.4.2 2025-03-11 Clean Clean (post-cleanup)
6.4.3 2025-03-13 Clean Clean (post-cleanup)
6.4.4 2025-03-18 Clean Clean (post-cleanup)
6.4.5 2025-03-20 Clean Clean (post-cleanup)
6.4.6 2025-03-25 Clean Clean (post-cleanup)
6.4.7 2025-03-25 Clean Clean (post-cleanup)
6.4.8 2025-03-27 Clean Clean (post-cleanup)
6.4.9 2025-04-01 Clean Clean (post-cleanup)
6.5.0 2025-04-03 Clean Clean (post-cleanup)
6.5.1 2025-04-08 Clean Clean (post-cleanup)
6.5.2 2025-04-10 Clean Clean (post-cleanup)
6.5.3 2025-04-16 Clean Clean (post-cleanup)
6.5.4 2025-04-17 Clean Clean (post-cleanup)
6.5.5 2025-04-18 Clean Clean (post-cleanup)
6.5.6 2025-04-22 Clean Clean (post-cleanup)
6.5.7 2025-04-23 Clean Clean (post-cleanup)
6.5.8 2025-04-24 Clean Clean (post-cleanup)
6.5.9 2025-04-29 Clean Clean (post-cleanup)
6.6.0 2025-05-01 Clean Clean (post-cleanup)
6.6.1 2025-05-06 Clean Clean (post-cleanup)
6.6.2 2025-05-08 Clean Clean (post-cleanup)
6.6.3 2025-05-09 Clean Clean (post-cleanup)
6.6.4 2025-05-14 Clean Clean (post-cleanup)
6.6.5 2025-05-15 Clean Clean (post-cleanup)
6.6.6 2025-05-20 Clean Clean (post-cleanup)
6.6.7 2025-05-20 Clean Clean (post-cleanup)
6.6.8 2025-05-22 Clean Clean (post-cleanup)
6.6.9 2025-05-23 Clean Clean (post-cleanup)
6.7.0 2025-05-27 Clean Clean (post-cleanup)
6.7.1 2025-05-29 Clean Clean (post-cleanup)
6.7.2 2025-06-03 Clean Clean (post-cleanup)
6.7.3 2025-06-10 Clean Clean (post-cleanup)
6.7.4 2025-06-16 Clean Clean (post-cleanup)
6.7.5 2025-06-17 Clean Clean (post-cleanup)
6.7.6 2025-06-19 Clean Clean (post-cleanup)
6.7.7 2025-06-24 Clean Clean (post-cleanup)
6.7.8 2025-06-26 Clean Clean (post-cleanup)
6.7.9 2025-07-01 Clean Clean (post-cleanup)
6.8.0 2025-07-03 Clean Clean (post-cleanup)
6.8.1 2025-07-04 Clean Clean (post-cleanup)
6.8.2 2025-07-08 Clean Clean (post-cleanup)
6.8.3 2025-07-10 Clean Clean (post-cleanup)
6.8.4 2025-07-11 Clean Clean (post-cleanup)
6.8.5 2025-07-15 Clean Clean (post-cleanup)
6.8.6 2025-07-17 Clean Clean (post-cleanup)
6.8.7 2025-07-22 Clean Clean (post-cleanup)
6.8.8 2025-07-24 Clean Clean (post-cleanup)
6.8.9 2025-07-25 Clean Clean (post-cleanup)
6.9.0 2025-07-27 Clean Clean (post-cleanup)
6.9.1 2025-07-29 Clean Clean (post-cleanup)
6.9.2 2025-07-31 Clean Clean (post-cleanup)
6.9.3 2025-08-01 Clean Clean (post-cleanup)
6.9.4 2025-08-05 Clean Clean (post-cleanup)
6.9.5 2025-08-06 Clean Clean (post-cleanup)
6.9.6 2025-08-07 Clean Clean (post-cleanup)
6.9.7 2025-08-11 Clean Clean (post-cleanup)
6.9.8 2025-08-13 Clean Clean (post-cleanup)
6.9.9 2025-08-14 Clean Clean (post-cleanup)
7.0.0 2025-08-15 Clean Clean (post-cleanup)
7.1.0 2025-08-18 Clean Clean (post-cleanup)
7.1.1 2025-08-20 Clean Clean (post-cleanup)
7.1.2 2025-08-21 Clean Clean (post-cleanup)
7.1.3 2025-08-22 Clean Clean (post-cleanup)
7.1.4 2025-08-26 Clean Clean (post-cleanup)
7.1.5 2025-08-28 Clean Clean (post-cleanup)
7.1.6 2025-08-28 Clean Clean (post-cleanup)
7.1.7 2025-09-09 Clean Clean (post-cleanup)
7.1.8 2025-09-11 Clean Clean (post-cleanup)
7.1.9 2025-09-16 Clean Clean (post-cleanup)
7.2.0 2025-09-18 Clean Clean (post-cleanup)
7.2.1 2025-09-23 Clean Clean (post-cleanup)
7.2.2 2025-09-25 Clean Clean (post-cleanup)
7.2.3 2025-09-30 Clean Clean (post-cleanup)
7.2.4 2025-10-02 Clean Clean (post-cleanup)
7.2.5 2025-10-06 Clean Clean (post-cleanup)
7.2.6 2025-10-06 Clean Clean (post-cleanup)
7.2.7 2025-10-14 Clean Clean (post-cleanup)
7.2.8 2025-10-14 Clean Clean (post-cleanup)
7.2.9 2025-10-17 Clean Clean (post-cleanup)
7.3.0 2025-10-21 Clean Clean (post-cleanup)
7.3.1 2025-10-23 Clean Clean (post-cleanup)
7.3.2 2025-10-24 Clean Clean (post-cleanup)
7.3.3 2025-10-27 Clean Clean (post-cleanup)
7.3.4 2025-10-27 Clean Clean (post-cleanup)
7.3.5 2025-10-28 Clean Clean (post-cleanup)
7.3.6 2025-10-31 Clean Clean (post-cleanup)
7.3.7 2025-11-03 Clean Clean (post-cleanup)
7.3.8 2025-11-04 Clean Clean (post-cleanup)
7.3.9 2025-11-06 Clean Clean (post-cleanup)
7.4.0 2025-11-07 Clean Clean (post-cleanup)
7.4.1 2025-11-10 Clean Clean (post-cleanup)
7.4.2 2025-11-11 Clean Clean (post-cleanup)
7.4.3 2025-11-12 Clean Clean (post-cleanup)
7.4.4 2025-11-14 Clean Clean (post-cleanup)
7.4.5 2025-11-18 Clean Clean (post-cleanup)
7.4.6 2025-11-20 Clean Clean (post-cleanup)
7.4.7 2025-11-21 Clean Clean (post-cleanup)
7.4.8 2025-11-25 Clean Clean (post-cleanup)
7.4.9 2025-11-27 Clean Clean (post-cleanup)
7.5.0 2025-11-28 Clean Clean (post-cleanup)
7.5.1 2025-12-01 Clean Clean (post-cleanup)
7.5.2 2025-12-03 Clean Clean (post-cleanup)
7.5.3 2025-12-04 Clean Clean (post-cleanup)
7.5.4 2025-12-09 Clean Clean (post-cleanup)
7.5.5 2025-12-11 Clean Clean (post-cleanup)
7.5.6 2025-12-12 Clean Clean (post-cleanup)
7.5.7 2025-12-15 Clean Clean (post-cleanup)
7.5.8 2025-12-17 Clean Clean (post-cleanup)
7.5.9 2025-12-18 Clean Clean (post-cleanup)
7.6.0 2025-12-19 Clean Clean (post-cleanup)
7.6.1 2025-12-19 Clean Clean (post-cleanup)
7.6.2 2025-12-23 Clean Clean (post-cleanup)
7.6.3 2025-12-24 Clean Clean (post-cleanup)
7.6.4 2025-12-30 Clean Clean (post-cleanup)
7.6.5 2026-01-01 Clean Clean (post-cleanup)
7.6.6 2026-01-06 Clean Clean (post-cleanup)
7.6.7 2026-01-08 Clean Clean (post-cleanup)
7.6.8 2026-01-13 Clean Clean (post-cleanup)
7.6.9 2026-01-15 Clean Clean (post-cleanup)
7.7.0 2026-01-19 Clean Clean (post-cleanup)
7.7.1 2026-01-20 Clean Clean (post-cleanup)
7.7.2 2026-01-21 Clean Clean (post-cleanup)
7.7.3 2026-01-23 Clean Clean (post-cleanup)
7.7.4 2026-02-02 Clean Clean (post-cleanup)
7.7.5 2026-02-03 Clean Clean (post-cleanup)
7.7.6 2026-02-06 Clean Clean (post-cleanup)
7.7.7 2026-02-10 Clean Clean (post-cleanup)
7.7.8 2026-02-13 Clean Clean (post-cleanup)
7.7.9 2026-02-13 Clean Clean (post-cleanup)
7.8.0 2026-02-17 Clean Clean (post-cleanup)
7.8.1 2026-02-19 Clean Clean (post-cleanup)
7.8.2 2026-02-20 Clean Clean (post-cleanup)
7.8.3 2026-02-24 Clean Clean (post-cleanup)
7.8.4 2026-02-26 Clean Clean (post-cleanup)
7.8.5 2026-03-03 Clean Clean (post-cleanup)
7.8.6 2026-03-05 Clean Clean (post-cleanup)
7.8.7 2026-03-10 Clean Clean (post-cleanup)
7.8.8 2026-03-12 Clean Clean (post-cleanup)
7.8.9 2026-03-16 Clean Clean (post-cleanup)
7.9.0 2026-03-18 Clean Clean (post-cleanup)
7.9.1 2026-03-19 Clean Clean (post-cleanup)
7.9.2 2026-03-24 Clean Clean (post-cleanup)
7.9.3 2026-03-27 Clean Clean (post-cleanup)
7.9.4 2026-03-31 Clean Clean (post-cleanup)
7.9.5 2026-04-02 Clean Clean (post-cleanup)
7.9.6 2026-04-03 Clean Clean (post-cleanup)
7.9.7 2026-04-06 Clean Clean (post-cleanup)
7.9.8 2026-04-07 Clean Clean (post-cleanup)
7.9.9 2026-04-09 Clean Clean (post-cleanup)
8.0.0 2026-04-13 Clean Clean (post-cleanup)
8.1.0 2026-04-14 Clean Clean (post-cleanup)
8.2.0 2026-04-16 Clean Clean (post-cleanup)
8.2.1 2026-04-23 Clean Clean (post-cleanup)
8.2.2 2026-04-24 Clean Clean (post-cleanup)
8.2.3 2026-04-28 Clean Clean (post-cleanup)
8.2.4 2026-04-29 Current Current release

Plugin

| | | |---|---| | Slug | chatbot | | Name | WPBot — AI ChatBot for Live Support, Lead Generation, AI Services | | Author | quantumcloud (QuantumCloud, Executive Director, member since 2011-12-11) | | Active installs | 6,000 | | Total downloads | 1,231,616 | | Added | 2018-08-30 | | Last update | 2026-04-29 (v8.2.4) — yesterday | | Closed? | No |

Why WP Beacon flagged this

code_pattern event #1758 fired with pattern=unserialize_after_remote_call, confidence=high, hit_count=2. The two hits are duplicate copies of the same file at:

includes/openai/plugin-upgrader/classes/plugin-upgrader.php:190
includes/integration/openai/plugin-upgrader/classes/plugin-upgrader.php:190

// classes/plugin-upgrader.php:169-195
public function getRemote($action = '')
{
    $params = array(
        'body' => array(
            'action'       => $action,
            'plugin-slug'  => $this->slug,
            'license_user' => $this->license_user,
            'license_key'  => $this->license_key,
        ),
    );
    
    $request = wp_remote_post($this->update_path, $params );

    if ( !is_wp_error( $request ) || wp_remote_retrieve_response_code( $request ) === 200 ) {
        return @unserialize( $request['body'] );                         // ← IOC sink
    }
    
    return false;
}

Looks like a textbook self-update channel: license credentials POSTed to a remote endpoint, response @unserialize'd as PHP, no signature, no integrity check. Same shape that made scroll-top a real RCE distribution channel (audit #12, malicious) and that lurked dormant in content-egg for 7 years (audit #15, benign-historical).

The five layers of unreachability

Layer 1 — orphan directory (decisive)

The whole plugin-upgrader/ subtree is loaded by nothing. Searched the full trunk:

$ grep -rn "plugin-upgrader" trunk/ --include='*.php' \
    | grep -v "^trunk/includes/.*/plugin-upgrader/"
# (no output)

The plugin's main file qcld-wpwbot.php lists every require_once at the top — none touch plugin-upgrader/. Neither does includes/integration/openai/qcld-bot-openai.php (the OpenAI integration's own loader). The directory is shipped to wp.org but never PHP-loaded at runtime.

Layer 2 — dispatcher itself stubbed out

The "outer" file plugin-upgrader/plugin-upgrader.php (which would load the class file if anything required it) consists entirely of commented-out lines:

<?php
// require_once(plugin_dir_path(__FILE__).'/config.php');
// require_once(plugin_dir_path(__FILE__).'/classes/plugin-upgrader.php');
// require_once(plugin_dir_path(__FILE__).'/admin/license-settings-page.php');
// require_once(plugin_dir_path(__FILE__).'/admin/admin-notices.php');
// require_once(plugin_dir_path(__FILE__).'/utils.php');
// new qcld_openaiaddon_License_Settings_page();

So even if a future contributor requires the dispatcher, all the inner loads are commented out. They'd have to uncomment those too.

Layer 3 — typo in `update_path` (breaks `wp_remote_post`)

If both layers 1 and 2 were bypassed, utils.php:9 would still pass the wrong constant:

$plugin_remote_path = openaiaddon_LICENSING_PLUGIN_NAME;       // ← typo
//                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
//                   defined as 'chatbot-openai-addon' (slug, not URL)
//
//   intended:       openaiaddon_LICENSING_REMOTE_PATH
//                   = 'https://www.ultrawebmedia.com/li/plugins/chatbot-openai-addon/update.php'

wp_remote_post("chatbot-openai-addon", $params) returns WP_Error (invalid URL). The if-condition !is_wp_error($request) || response_code === 200 becomes false || false (no response, no code) → falls through to return false. @unserialize never runs.

This typo has been there since the file was first added at v4.3.7 (2023-02-07, r2861400 "Added OpenAI support") and was carried forward into the duplicate path created at v6.6.5 (2025-05-15) when QuantumCloud refactored to add OpenRouter support. 3 years of unreachability via this typo alone.

Layer 4 — endpoint dead (since 2019)

Even with layers 1-3 fixed, the intended endpoint https://www.ultrawebmedia.com/li/plugins/chatbot-openai-addon/update.php is dead:

$ curl -s -I "https://www.ultrawebmedia.com/"
HTTP/2 200 
last-modified: Tue, 28 May 2019 11:28:03 GMT
content-length: 780
content-type: text/html

The site has served a "Website Under Maintenance" 503 page since 2019. Worse, the server isn't executing PHP — the maintenance file leaks raw <?php source as text. Domain still resolves and is presumably owned by QuantumCloud, but the licensing infrastructure has been decommissioned for ~7 years.

If the endpoint were restored and serving HTML rather than PHP-serialized payloads, @unserialize($html) returns false → harmless.

Layer 5 — admin-set conditional gate

Final layer: even if 1-4 were all bypassed and the endpoint served PHP-serialized data, instantiation only happens when:

if( $buy_from == 'quantumcloud' ){                              // utils.php:13
    $upgrader_instance = new qcld_openaiaddon_AutoUpdate(...);
}

$buy_from is get_option('qcld_openaiaddon_buy_from_where') — set via the plugin's license-settings admin form. Default is empty (no instantiation). So the user has to actively configure the plugin to a license source that's been broken since 2019.

Origin and provenance

| Date | Tag | Event | |---|---|---| | 2023-02-07 | v4.3.7 | r2861400 "Added OpenAI support" — entire includes/openai/plugin-upgrader/ directory created in one commit. The typo (_PLUGIN_NAME instead of _REMOTE_PATH), the commented-out dispatcher, and the @unserialize chain all introduced together. Code looks copy-pasted from a generic 2010s-era WordPress self-update template. | | 2025-05-15 | v6.6.5 | r3293987 "Added OpenRouter Support" — includes/integration/openai/plugin-upgrader/ directory added as a duplicate of includes/openai/plugin-upgrader/. Refactor leftover; old path still exists. Both copies have the same dead-code shape. | | 2025-10-14 | v7.x | r3378160 "Code optimization and security fixes" — touched the upgrader files but didn't fix the typo or wire up the loader. | | 2026-04-16 | v8.2.0 | r3508060 "Improved security" — added if (!defined('ABSPATH')) exit; guard to utils.php and a few other files. Standard wp.org-review hygiene; does not affect the chain. | | 2026-04-29 | v8.2.4 | Latest release — chain unchanged, still orphan. |

Author identity

quantumcloud is a real WP-ecosystem company:

Display name: QuantumCloud, member since 2011-12-11
Job title: Executive Director, employer: QuantumCloud (verified via wp_wpbeacon_authors)
15 plugins on wp.org, biggest are comment-link-remove (8k installs) and chatbot (6k)
Sole committer across full chatbot history (482 SVN commits, 2018-08 → 2026-04)

I sampled 5 of the other QuantumCloud plugins (comment-link-remove, woowbot-woocommerce-chatbot, slider-hero, conversational-forms, simple-link-directory) — none have a similar @unserialize-after-remote-post chain. The pattern is unique to chatbot's abandoned licensing scaffold.

Domains the plugin actually contacts

scan-deltas harvested 19 domains for chatbot:

AI providers (legit, expected): openai.com, openrouter.ai, x.ai, gemini.ai, googleapis.com, dialogflow.com, google.com, facebook.net
Messaging integrations (legit): viber.com, whatsapp.com, youtube.com
QuantumCloud's own brands: quantumcloud.com, wpbot.pro, woowbot.pro, ultrawebmedia.com (maintenance), turbopowers.com, testversions.com
Other: cxthemes.com, dna88.com — both QuantumCloud demo/dev domains

No callback to dynamic-DNS, no hardcoded IPs, no Russian/Chinese VPS. Author identity matches all reachable domains.

Verdict

Benign — dead code shipped. Same verdict class as audits #15 (content-egg) and #17 (YARPP): suspect-static-pattern, multiply unreachable. Difference: YARPP's chain has one gate (the typo'd is_array check) — close enough to weaponizable that I called it "fragile." Chatbot has five layers, and the outer one (orphan directory) is the kind of mistake that's normally caught by basic test coverage. To weaponize you'd need 3+ separate code edits AND a server-side change to a domain that's been dark for 7 years. Practical risk: zero today, low even on hostile-takeover scenarios.

Recommendations

To author (QuantumCloud), in priority order:

1. Delete both includes/openai/plugin-upgrader/ and includes/integration/openai/plugin-upgrader/ directories. They've been unreachable orphan code for 3 years. Their only effect is making static analyzers (Patchstack, Wordfence, WP Beacon) flag the plugin. If licensing is needed, use Freemius (already integrated by other QuantumCloud plugins) or EDD-SL with signed payloads. 2. Stop shipping .idea/ IntelliJ project metadata in tags. v8.2.0 included tags/8.2.0/.idea/workspace.xml etc. — leaks dev environment details (no credentials, but unnecessary). Add .idea/ to .svnignore for tag releases. 3. If keeping the licensing module for any reason, fix utils.php:9 (_PLUGIN_NAME → _REMOTE_PATH) only after wiring up an integrity-checked replacement for @unserialize. The current code is a textbook PHP Object Injection sink that has been disarmed only by accident.

To WP Beacon detector:

This is now the third audit (#15, #17, #18) in the unserialize_after_remote_call "suspect-but-unreachable" disposition class. The triage cost is real (each one requires git-level forensics to confirm unreachability). Two enhancements worth considering:

cleanup_status = fragile as an audit verdict-class, with fragile_gates JSON column listing the sentinel-strings (e.g. is_array($remote['body']) for YARPP, commented-out require_once for chatbot, throw new Exception for content-egg). A fragile-recheck scan phase would re-confirm those sentinels every pass and fire audit_gate_dropped if any disappears.
A "load-reachability" filter on the unserialize_after_remote_call rule — if the file containing the match is require_once'd from nowhere in the codebase, downgrade to info rather than critical. Would have auto-cleared chatbot's 5,000+ similar future reports without needing a full audit.

Cleanup status

cleanup_status = clean — chain has never been reachable in any production scenario. No remediation needed for site owners running chatbot today. Author should land recommendation #1 to remove the static IOC from future detector runs, but the surface is already secure.