WP Beacon

← All audits

Audit #29 Benign

Greenshift – animation and page builder blocks · 70k+ installs · baseline 12.5.7 → head 12.9.5 · closed 18d ago

Actor: wpsoul (Illia, commercial plugin vendor — sole committer since 2022-02-26, 200 commits)
Show full summary

Verdict: benign — wp.org guideline violation, not malware. Greenshift was closed by wp.org twice in four months (2026-01-15 and 2026-04-29) over the same root cause: the free plugin shipped a full paid-license activation system + hardcoded "Buy Now" upsell links to the author's commercial store. Free wp.org-hosted plugins are not permitted to bundle license-key flows that activate paid features or to operate as an upsell channel for a separate commercial offering.

Sole committer wpsoul has been the only SVN contributor since 2022-02-26 across 200 commits. No takeover, no external committer, no obvious supply-chain compromise vector. The author is the original commercial vendor (real first name Illia per a 2026-01-15 forum exchange with user david), running the Greenshift commercial business at shop.greenshiftwp.com.

Malware-pattern sweep on HEAD (v12.9.5) returned zero hits across 16 IOC categories (eval/base64, gzinflate, eval/$_POST, shell_exec, create_function, preg_replace /e, persistence, known campaign C2 domains). The plugin makes a single outbound wp_remote_get($file_uri, ...) call with no hardcoded suspicious endpoint.

This is the same enforcement class as the late-April 2026 wp.org compliance wave that closed ~85 plugins from wpcodefactory, bplugins, algoritmika, and woobewoo. It is not a security incident, and sites running Greenshift are not compromised — but the plugin will remain unavailable on wp.org until the author completes the compliance cleanup and wp.org reopens it.

Investigated — no compromise found.

Audit retained for the record. No action required.

Plugins under the same committer's SVN access

wpsoul holds push access to 4 plugins totalling 71k+ active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.

Greenshift – animation and page builder blocks — this audit
70k+
Greenshift Smart Code AI — clean code, same SVN account (latent risk)
1k+
GreenCon – Table, Listing, Marketing builder for Gutenberg — closed by wp.org
Table Maker — closed by wp.org

Plugin version history

Every release on wp.org for this plugin. The plugin was closed by wp.org pending review, but this audit found no malicious code in any version. Sites already running it are not exposed to a security incident — see the cleanup section below for non-emergency guidance.

  1. Earlier 159 earlier releases
    • 0.8.7
    • 0.9
    • 0.9.2
    • 1.0.8
    • 1.8.1
    • 2.8.4
    • 4.8.1
    • 5.9.6
    • 6.7.7
    • 8.1.2
    • 8.2.2
    • 8.8.9
    • 8.8.9.1
    • 8.9.3
    • 8.9.4
    • 8.9.5
    • 8.9.6
    • 8.9.7
    • 8.9.8
    • 8.9.9
    • 9.0.1
    • 9.0
    • 9.1
    • 9.1.1
    • 9.1.2
    • 9.1.3
    • 9.1.4
    • 9.1.5
    • 9.1.6
    • 9.2
    • 9.2.1
    • 9.2.2
    • 9.3
    • 9.3.1
    • 9.3.2
    • 9.3.4
    • 9.3.5
    • 9.3.6
    • 9.3.7
    • 9.4
    • 9.5
    • 9.5.1
    • 9.5.2
    • 9.5.4
    • 9.5.5
    • 9.5.6
    • 9.6
    • 9.6.1
    • 9.7
    • 9.8
    • 9.8.1
    • 9.9
    • 9.9.1
    • 9.9.2
    • 9.9.3
    • 9.9.4
    • 9.9.5
    • 9.9.6
    • 9.9.7
    • 9.9.7.1
    • 9.9.8
    • 9.9.8.3
    • 9.9.8.4
    • 9.9.8.5
    • 9.9.8.6
    • 9.9.8.7
    • 9.9.8.8
    • 9.9.9
    • 9.9.9.1
    • 9.9.9.2
    • 9.9.9.3
    • 9.9.9.4
    • 9.9.9.5
    • 9.9.9.6
    • 10.0.0
    • 10.0.1
    • 10.0.2
    • 10.1
    • 10.1.1
    • 10.2
    • 10.2.1
    • 10.2.2
    • 10.2.4
    • 10.2.3
    • 10.3
    • 10.3.1
    • 10.4
    • 10.4.0.3
    • 10.5
    • 10.5.2.1
    • 10.5.2
    • 10.5.1
    • 10.6
    • 10.6.1
    • 10.6.2
    • 10.6.3
    • 10.6.4
    • 10.6.5
    • 10.6.6
    • 10.6.7
    • 10.7
    • 10.8
    • 10.9
    • 10.9.1
    • 10.9.2
    • 11.0
    • 11.0.1
    • 11.0.2
    • 11.0.3
    • 11.1
    • 11.2
    • 11.3
    • 11.3.1
    • 11.4
    • 11.4.0.1
    • 11.4.5
    • 11.4.6
    • 11.5
    • 11.5.1
    • 11.5.2
    • 11.5.4
    • 11.5.5
    • 11.5.6
    • 11.5.7
    • 11.6
    • 11.7
    • 11.7.1
    • 11.7.2
    • 11.8
    • 11.8.1
    • 11.9
    • 11.9.1
    • 11.9.2
    • 11.9.3
    • 11.9.4
    • 12.0
    • 12.1
    • 12.1.1
    • 12.1.2
    • 12.2
    • 12.2.1
    • 12.2.3
    • 12.2.4
    • 12.2.5
    • 12.2.6
    • 12.2.7
    • 12.2.8
    • 12.2.9
    • 12.3
    • 12.3.1
    • 12.3.3
    • 12.4
    • 12.4.1
    • 12.5
    • 12.5.1
    • 12.5.2
    • 12.5.6
    • 12.5.5
    • 12.5.4
  2. 12.5.7 Audit baseline Last clean release before incident
  3. 12.6 Released Clean (post-cleanup)
  4. 12.6.1 Released Clean (post-cleanup)
  5. 12.6.2 Released Clean (post-cleanup)
  6. 12.6.3 Released Clean (post-cleanup)
  7. 12.6.4 Released Clean (post-cleanup)
  8. 12.6.5 Released Clean (post-cleanup)
  9. 12.7 Released Clean (post-cleanup)
  10. 12.7.1 Released Clean (post-cleanup)
  11. 12.8.1 Released Clean (post-cleanup)
  12. 12.8.2 Released Clean (post-cleanup)
  13. 12.8.3 Released Clean (post-cleanup)
  14. 12.8.4 Released Clean (post-cleanup)
  15. 12.8.5 Released Clean (post-cleanup)
  16. 12.8.6 Released Clean (post-cleanup)
  17. 12.8.7 Released Clean (post-cleanup)
  18. 12.8.8 Released Clean (post-cleanup)
  19. 12.8.9 Released Clean (post-cleanup)
  20. 12.9.0 Released Clean (post-cleanup)
  21. 12.9.3 Released Clean (post-cleanup)
  22. 12.9.4 Released Clean (post-cleanup)
  23. Closure

    wp.org closed this plugin pending review. No malicious code was found in any release; the closure reflects a policy decision (commonly: guideline compliance, vendor commercial-content rules, or extended unmaintenance). Releases below remain installed on existing sites and are not a security exposure.

  24. 12.9.5 Audit head First malicious release (head of audit)

Timeline reconstructed from SVN/git

DateVersionAction
2024-05-29v8.8.9.1edd/EddLicensePage.php introduced (paid-addon licensing module)
...(multi-year normal release cadence under wpsoul, sole committer)
2026-01-11v12.5.7Last release before first closure
2026-01-15wp.org closes plugin ("temporary, pending a full review" per forum thread by david)
2026-01-17v12.6 → v12.6.5Five rapid releases the same day — minor edits to init.php, package.json (-1 line), readme.txt. Plugin reopens.
2026-01-21 → 2026-04-23v12.7 → v12.9.3Normal release cadence resumes for ~3 months. License code remains in place (EddLicensePage.php still 729 lines at v12.9.3)
2026-04-29v12.9.4wp.org closes again (silent, no public reason). Same-day v12.9.4 ships.
2026-05-01v12.9.5EddLicensePage.php gutted: 729 lines → 46 lines. Class removed entirely; only a now-no-op cron stub remains

Boundary diff #1 — v12.5.7 → v12.6 (first-closure fix, Jan 17)

Modest edits across 13 files, mostly version-bump churn in built JS artifacts:

build/gspbLibrary.asset.php    | 2 +-
build/gspbLibrary.js           | 2 +-
build/gspbSiteEditor.asset.php | 2 +-
build/gspbSiteEditor.js        | 2 +-
build/gspbStylebook.asset.php  | 2 +-
build/gspbStylebook.js         | 2 +-
build/index.asset.php          | 2 +-
build/index.js                 | 2 +-
init.php                       | 16 +++++++++++++---
instruction_markdown.md        | 5 ++---
package.json                   | 1 -
plugin.php                     | 2 +-
readme.txt                     | 7 ++++++-
13 files changed, 30 insertions(+), 17 deletions(-)

The compliance fix here was minor — package.json -1, small init.php adjustment. The bulk of the violating code stayed in.

Boundary diff #2 — v12.9.3 → v12.9.5 (second-closure fix, Apr 29 → May 1)

edd/EddLicensePage.php  | 729 --------------------------------
includes/importer.php   |  39 +-
init.php                |  32 +-
plugin.php              |  21 +-
readme.txt              |  60 ++-
... (libs/* version bumps)
21 files changed, 166 insertions(+), 784 deletions(-)

The headline change is the complete gutting of edd/EddLicensePage.php — the class that managed paid-license activation. What remained (46 lines) is just a vestigial cron hook that does nothing because the class it references no longer exists.

What was in the deleted code

The EddLicensePage class managed paid-addon license keys with this shape:

'all_in_one' => [
    'plugin_id' => 223,
    'plugin_name' => 'All in One Access',
    'license_key' => 'edd_license_key_all_in_one',
    'expires_key' => 'edd_license_expires_all_in_one',
    'license_status_key' => 'edd_license_status_all_in_one',
    'license' => '',
    'status' => '',
    'expires' => '',
    'license_limit' => '',
    'included_in' => [],
],
'all_in_one_seo' => [
    'plugin_id' => 289,
    'plugin_name' => 'SEO Pack',
    ...
],

plugin_id values like 223, 289 are EDD product IDs on the author's commercial store (shop.greenshiftwp.com). The class checked license validity, scheduled daily license re-checks via cron, and stored state in the gspb_edd_licenses option.

Hardcoded commercial-store endpoints (still present)

Even after the v12.9.5 cleanup, the plugin still contains direct links to the commercial store as "Buy Now" buttons inside the WordPress admin UI:

https://shop.greenshiftwp.com/downloads/advanced-animation-addon/
https://shop.greenshiftwp.com/downloads/greenshift-chart-plugin/
https://shop.greenshiftwp.com/downloads/marketing-and-seo-addon/
https://shop.greenshiftwp.com/downloads/query-addon/
https://shop.greenshiftwp.com/demo/woodemo.xml
https://shop.greenshiftwp.com/demo/wootemplates.xml

These would also need to be removed or disclosed differently to fully satisfy wp.org's commercial-content guidelines.

Malware-pattern sweep on HEAD (v12.9.5) — clean

Zero hits across:

Pattern categoryHits
eval(base64...)0
eval(gzinflate...)0
eval($_POST/$_GET/$_REQUEST...)0
system(...), shell_exec(...)0
create_function(...), assert($_...)0
preg_replace .../e modifier0
File-write persistence (fwrite ... .php)0
Known campaign C2 domains (cdnstaticsync.com, safetybis.com, anadnet)0

Only one outbound HTTP call in the entire codebase: wp_remote_get($file_uri, $args) — generic, with no hardcoded suspicious destination.

Why this isn't a hijack

IndicatorGreenshift
Sole committer for 4+ years?✓ wpsoul, since 2022-02-26
Sudden new committer before closure?✗ — wpsoul was the only committer through both closures
Author profile drift / replacement?✗ — same author, real name Illia, public commercial business
Code-level malware patterns?✗ — all 16 IOC categories clean
Outbound C2 / known bad domains?
Suspicious obfuscation / new dependencies?
New SVN credentials / committer roster change?

Every classic supply-chain-attack indicator is absent. The closure cause sits entirely in business-conduct compliance, not security.

Comparable cases

This is structurally identical to the late-April 2026 wp.org compliance wave that took down ~85 plugins from these vendors — same root pattern (paid-product licensing or promo libraries inside the free plugin):

  • wpcodefactory — 61 plugins (135K installs)
  • bplugins — 11 plugins (33K installs)
  • woobewoo — 3 plugins (66K installs)
  • algoritmika — 8 plugins (480 installs)

None of those were malware either. All were vendors pushing wp.org's commercial-content boundaries.

Everything in this audit is reproducible from the links cited above: SVN log, RDAP records, GitHub repositories, wp.org forum threads, and any live endpoints. Full WP Beacon scan logs and any associated zip artifacts are available on request from the investigator.