Audit #31 Benign

WPMR Google Feed Manager for WooCommerce – Sell on Google Merchant Center & Shopping Closed on WP.org · 10k+ installs · baseline 2.22.0 → head 2.23.1 · closed 19d ago

Actor: aukejomm (WP Marketing Robot, Dutch commercial vendor — sole committer since 2016-01-18, 431 commits over 10 years)

Show full summary

Verdict: benign — wp.org guideline violation, not malware. WP Product Feed Manager (display name "WPMR Google Feed Manager for WooCommerce") was closed by wp.org on 2026-04-27 with the standard silent-closure notice ("This closure is temporary, pending a full review"). The cause was a paid-license activation system + commercial upsell button + artificial paid-tier limits inside the free plugin — the same compliance pattern as the late-April 2026 closure wave that hit wpcodefactory, bplugins, woobewoo, algoritmika, and greenshift.

Sole committer aukejomm has been the only active SVN contributor since 2016-01-18 across 431 commits. The vendor is WP Marketing Robot (real Dutch company at wpmarketingrobot.com), and aukejomm ships v2.23.0 the day after closure (2026-04-28) and v2.23.1 two days later (2026-04-30) as the compliance fix. No takeover, no external committer, no supply-chain compromise vector.

Malware-pattern sweep on HEAD (v2.23.1) returned zero hits across 16 IOC categories. The plugin makes a few outbound calls (wp_remote_get(WPPFM_EDD_SL_STORE_URL . 'wp-json/wp/v2/media/...'), similar for /posts?per_page=1) — these fetch images and the latest blog post from the vendor's own WordPress site, not license-check pings. No C2, no obfuscation, no persistence patterns. The 4 historical Patchstack vulnerabilities are all patched (most recent: a Contributor+ authorization issue affecting ≤2.8.0, disclosed Aug 2024, long pre-fixed in current versions).

The fix in v2.23.1 (compared to the closure-trigger v2.22.0) shipped three significant compliance changes: (1) removed the entire wppfm_edd_status() / wppfm_check_license() / wppfm_sanitize_license() license-activation chain that talked to the WPMR commercial license server; (2) removed wppfm_plugins_action_links() which inserted a green "Go Premium" upsell link in the Plugins page; (3) lifted the artificial 100-products-per-feed cap that gated free users behind the PRO version, with the readme rewritten to emphasize "unlimited products, unlimited feeds, no caps, no limits ever." The vendor effectively gave away the previously-paid feature ceiling to satisfy wp.org's commercial-content rules. Sites running the current version are not compromised.

✓

Investigated — no compromise found.

Audit retained for the record. No action required.

Plugins under the same committer's SVN access

aukejomm holds push access to 1 plugin totalling 10k+ active installs.

WPMR Google Feed Manager for WooCommerce – Sell on Google Merchant Center & Shopping — this audit

10k+

Plugin version history

Every release on wp.org for this plugin. The plugin was closed by wp.org pending review, but this audit found no malicious code in any version. Sites already running it are not exposed to a security incident — see the cleanup section below for non-emergency guidance.

Earlier 100 earlier releases
- 1.10.0 2018-09-24
- 1.10.1 2018-09-24
- 1.11.0 2018-10-15
- 1.11.1 2018-10-16
- 1.11.2 2018-10-19
- 1.11.3 2018-10-19
- 1.11.4 2018-10-26
- 1.12.0 2018-11-05
- 1.12.1 2018-12-08
- 1.12.2 2018-12-19
- 1.13.0 2019-03-18
- 1.13.1 2019-06-30
- 1.14.0 2019-06-30
- 1.14.1 2019-07-03
- 1.15.0 2019-08-12
- 1.16.0 2019-10-07
- 1.17.1 2019-11-04
- 1.18.0 2019-12-02
- 1.18.1 2019-12-16
- 1.19.0 2020-01-20
- 1.19.1 2020-01-31
- 1.20.0 2020-03-16
- 1.20.1 2020-03-20
- 1.21.0 2020-04-03
- 1.21.1 2020-04-04
- 1.22.0 2020-06-02
- 1.23.0 2020-07-30
- 1.24.0 2020-08-26
- 1.25.0 2020-10-13
- 1.26.0 2020-11-10
- 1.26.1 2020-11-16
- 1.27.0 2021-01-13
- 1.28.0 2021-02-11
- 1.28.1 2021-03-09
- 1.29.0 2021-03-16
- 1.29.1 2021-03-22
- 1.29.2 2021-03-26
- 1.30.0 2021-04-15
- 1.31.0 2021-05-17
- 1.31.1 2021-05-19
- 1.32.0 2021-06-11
- 1.33.0 2021-07-14
- 1.34.0 2021-08-23
- 1.35.0 2021-10-19
- 1.36.0 2021-11-10
- 1.37.0 2021-12-20
- 1.38.0 2022-01-24
- 1.39.0 2022-03-14
- 1.40.0 2022-05-16
- 1.41.0 2022-06-13
- 1.41.1 2022-06-27
- 1.42.0 2022-07-18
- 1.43.0 2022-08-17
- 1.44.0 2022-10-05
- 1.45.0 2023-01-04
- 1.46.0 2023-01-04
- 1.46.1 2023-01-18
- 1.47.0 2023-02-09
- 1.47.1 2023-02-15
- 1.48.0 2023-03-09
- 1.49.0 2023-04-19
- 1.49.1 2023-04-24
- 1.50.0 2023-08-03
- 1.51.0 2023-08-31
- 2.0.0 2023-11-14
- 2.1.0 2023-11-20
- 2.1.1 2023-11-27
- 2.2.0 2023-12-20
- 2.3.0 2024-01-23
- 2.4.0 2024-02-26
- 2.4.1 2024-02-26
- 2.4.2 2024-03-01
- 2.5.0 2024-03-20
- 2.5.1 2024-03-21
- 2.5.2 2024-03-26
- 2.6.0 2024-04-15
- 2.7.0 2024-05-27
- 2.7.1 2024-05-30
- 2.8.0 2024-07-15
- 2.9.0 2024-08-19
- 2.10.0 2024-08-28
- 2.11.0 2024-11-11
- 2.11.1 2024-11-18
- 2.11.2 2024-11-26
- 2.12.0 2024-12-23
- 2.13.0 2025-02-18
- 2.14.0 2025-04-16
- 2.15.0 2025-09-03
- 2.15.1 2025-09-08
- 2.15.2 2025-09-30
- 2.16.0 2025-10-20
- 2.16.1 2025-10-20
- 2.16.2 2025-10-28
- 2.16.3 2025-11-03
- 2.17.0 2025-11-06
- 2.18.0 2025-11-24
- 2.19.0 2026-01-13
- 2.20.0 2026-02-02
- 2.20.1 2026-03-02
- 2.21.0 2026-03-18
2.22.0 2026-03-31 Audit baseline Last clean release before incident
2.23.0 2026-04-28 Released Clean (post-cleanup)
Closure

wp.org closed this plugin pending review. No malicious code was found in any release; the closure reflects a policy decision (commonly: guideline compliance, vendor commercial-content rules, or extended unmaintenance). Releases below remain installed on existing sites and are not a security exposure.
2.23.1 2026-04-30 Audit head First malicious release (head of audit)

Closure notice on wp.org

This plugin has been closed as of April 27, 2026 and is not available for download. This closure is temporary, pending a full review.

Release timeline (closure-relevant tail)

Date	Version	Note
2016-01-18	rev 1330409	First commit by `aukejomm` (sole active committer for 10 years)
2024-08-23	—	Patchstack discloses Contributor+ authorization vulns ≤ 2.8.0 (long-fixed)
2026-03-31	v2.22.0	Last release before closure — still contains EDD license code + Go Premium upsell + 100-product cap
2026-04-27	—	wp.org closes "pending review"
2026-04-28	v2.23.0	Same-day-after-closure release (first compliance attempt)
2026-04-30	v2.23.1	Second compliance release (HEAD)

v2.22.0 → v2.23.1 boundary diff

57 files changed, 4663 insertions(+), 2533 deletions(-)

All 57 changes are Modified — no files added, no files deleted. Largest single-file changes:

File	Lines	Pattern
`includes/user-interface/wppfm-admin-menu-functions.php`	-131	Removed EDD license-activation chain
`includes/user-interface/wppfm-admin-filters.php`	-120	Removed "Go Premium" admin upsell link
`includes/user-interface/js/wppfm_feed-list.js`	net rewrite (~730 lines touched)	Lifted product-cap UI gating
`includes/user-interface/js/wppfm_setting-form.js`	-113	Same — gated UI removal
`wp-product-feed-manager.php`	+79	Free-tier feature unlocks
`readme.txt`	revised description	"Unlimited" messaging

What was in the deleted EDD code

Removed from wppfm-admin-menu-functions.php:

function wppfm_edd_status() {
    $tab                  = filter_input( INPUT_GET, 'tab', ... );
    $edd_sl_plugin_prefix = apply_filters( 'wppfm_edd_plugin_prefix', 'wppfm', $tab );
    $edd_status           = wppfm_check_license( get_option( $edd_sl_plugin_prefix . '_lic_key' ) );
    update_option( $edd_sl_plugin_prefix . '_lic_status', $edd_status );
    if ( 'valid' === $edd_status ) { ... }
}

function wppfm_check_license( $license ) {
    ...
    $api_params = array(
        'edd_action' => 'check_license',
        'license'    => $license,
        'item_name'  => $edd_sl_plugin_name,
    );
    $response = wp_remote_get( add_query_arg( $api_params, WPPFM_EDD_SL_STORE_URL ... ) );
    ...
}

This is the standard EDD Software Licensing client — checks license validity against the vendor's license server. Same class of code as greenshift's EddLicensePage.php.

Removed from wppfm-admin-filters.php:

function wppfm_plugins_action_links( $actions, $plugin_file, $plugin_data, $context ) {
    ...
    if ( 'free' === WPPFM_PLUGIN_VERSION_ID ) {
        $actions['go_premium'] = '<a style="color:green;" href="' . WPPFM_EDD_SL_STORE_URL
            . '" target="_blank"><b>' . __( 'Go Premium', 'wp-product-feed-manager' ) . '</b></a>';
    }
    return $actions;
}
add_filter( 'plugin_action_links_' . WPPFM_PLUGIN_CONSTRUCTOR, 'wppfm_plugins_action_links', 10, 4 );

This injected a green "Go Premium" link in the admin Plugins page row for the free plugin — pointing at the vendor's commercial store.

The product-cap rewrite (readme.txt diff)

Pre-closure (v2.22.0):

**Free includes:**
- All 7 Google feed types
- ...
- Up to 100 products per feed

**Pro unlocks:**
- Unlimited products per feed
- ...

Post-closure (v2.23.1):

**Free includes:**
- All 7 Google feed types
- **Unlimited products per feed**
- **Unlimited number of feeds**
- ...

**Pro unlocks:**
- Advanced filtering logic
- ...
(Pro no longer lists "unlimited products" — that's now in Free)

Description text rewrites:

- The WooCommerce product feed plugin built for Google. Create a Google Merchant feed in 5 minutes...
+ The WooCommerce product feed plugin built for Google. UNLIMITED products, UNLIMITED feeds—completely free. Create a Google Merchant feed in 5 minutes...

The vendor effectively transferred the previously-paid product-cap feature into the free version.

Malware-pattern sweep on HEAD (v2.23.1) — clean

Pattern category	Hits
`eval(base64...)`, `eval(gzinflate...)`	0
`eval($_POST/$_GET/$_REQUEST...)`	0
`system(...)`, `shell_exec(...)`	0
`create_function(...)`, `assert($_...)`	0
`preg_replace .../e` modifier	0
File-write persistence (`fwrite ... .php`)	0
Known campaign C2 domains (cdnstaticsync.com, safetybis.com, anadnet)	0

Outbound HTTP inventory (HEAD)

wp_remote_get( WPPFM_EDD_SL_STORE_URL . 'wp-json/wp/v2/media/...' )
wp_remote_get( WPPFM_EDD_SL_STORE_URL . 'wp-json/wp/v2/posts?per_page=1&type=post&status=publish' )
wp_remote_post( $feed_id, $response )      // feed-generation, internal
wp_remote_post( esc_url_raw( $url ) )      // user-controlled feed export target

The WPPFM_EDD_SL_STORE_URL constant remains defined and is still used to fetch images and the latest blog post from wpmarketingrobot.com (the vendor's own WordPress site) — these are content-fetch calls for an in-plugin "what's new from us" widget, not license pings. wp.org may flag these on review too if they violate the no-call-home-without-user-consent rule, but they don't constitute a security exposure.

All other hardcoded URLs in the codebase are external-platform documentation (Google Shopping schema, Facebook Business, TikTok Ads, Snapchat catalog spec, etc.) and the GNU license. No C2 endpoints, no suspicious destinations.

Patchstack vulnerability history (all patched)

Type	Affected	Disclosed
Missing Authorization → Contributor+ Arbitrary Feed Actions	≤ 2.8.0	2024-08-23
Missing Authorization → Contributor+ Arbitrary File Deletion	≤ 2.8.0	2024-08-23
Authenticated (Admin+) SQL Injection → Reflected XSS	≤ 2.4.2	2024-04-16
Cross Site Scripting (XSS)	≤ 2.2.0	2024-03-16

No active vulnerabilities. The vendor was responsive enough to ship fixes during active maintenance — the closure isn't security-driven.

Why this isn't a hijack

Indicator	Result
Sole committer for ≥2 years?	✓ `aukejomm` since 2016-01-18 (10 years, 431 commits)
Sudden new committer before closure?	✗ — only `aukejomm` in the commit log throughout
Author profile drift?	✗ — `aukejomm` = WP Marketing Robot, real commercial entity at wpmarketingrobot.com
Code-level malware patterns?	✗ — all 16 IOC categories clean
Outbound C2 / known bad domains?	✗
Suspicious obfuscation / new dependencies?	✗
New SVN credentials before closure?	✗

Every classic supply-chain-attack indicator is absent.

Comparable cases

This is the same enforcement class as several other late-April 2026 closures — vendors with paid versions shipping commercial-license code and/or upsell buttons inside their free wp.org plugins:

greenshift-animation-and-page-builder-blocks (audit #29) — EddLicensePage.php removed
wpcodefactory family — 61 plugins (135K installs), cross-selling library
bplugins family — 11 plugins, same admin-promo library wave
woobewoo family — 3 plugins
algoritmika family — 8 plugins

WPMR's case adds one twist: they not only removed the license-activation chain but also lifted the paid feature gate (the 100-product cap), which goes further than greenshift's compliance fix. Whether that satisfies wp.org's reviewer is now in their hands.