WP Beacon
Audit #36 Suspicious
Show full summary
What's flagged. The plugin wires the Yahnis Elsts Plugin Update Checker (PUC) into a literal-placeholder URL that the author never replaced before publishing:
cc_wpsc_init.php:17-18
$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker(
'http://blog.XXXXXXXX.com/meta_ccwpsc.json',
__FILE__,
'country-caching-extension-for-wp-super-cache'
);The string XXXXXXXX is a copy-paste template the author intended to replace with their real domain. They didn't. The placeholder shipped to wordpress.org in 0.8.0 (last release, 2021-03-24).
Why this is dormant supply-chain risk. The parent domain xxxxxxxx.com is registered (since 2000-08-09, registrar DomainCostClub.com / Global Domains International, last changed 2025-08-05). blog.xxxxxxxx.com resolves to the parking provider's IP. Today the URL times out; nothing useful served. But the registered owner can at any moment:
1. Configure the blog. subdomain 2. Serve a properly-formatted meta_ccwpsc.json indicating a new version + zip URL 3. Trigger automatic plugin updates on every site running this plugin (~200 installs) 4. Plugin code installs run with full author privileges
This is the classic PUC supply-chain vector that was used in the 2021 anadnet/quick-pagepost-redirect-plugin compromise (audit #12 lineage), only the destination has not yet been activated.
create_function() finding is incidental — historical PHP 5 RCE primitive removed in PHP 8. Plugin is unmaintained and would crash on PHP 8 anyway. Not the dominant concern.
Exposure. Currently 200 active installs. Plugin is live on wordpress.org despite 5-year inactivity.
Not yet confirmed malicious. Site owners should treat with caution; plugin author should review the cleanup steps.
If you run country-caching-extension-for-wp-super-cache on your site
Verify your install matches the wp.org canonical version:
wp plugin verify-checksums country-caching-extension-for-wp-super-cacheA patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.
Plugins under the same committer's SVN access
wrigs1 holds push access to 5 plugins totalling 410 active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.
IOCs extracted (3)
| Kind | Value | Confidence |
|---|---|---|
| code_pattern | blog.XXXXXXXX.com |
medium |
| code_pattern | puc_placeholder_url_with_registered_parent |
medium |
| url | http://blog.XXXXXXXX.com/meta_ccwpsc.json |
medium |
Audit #36 — country-caching-extension-for-wp-super-cache
- Plugin: country-caching-extension-for-wp-super-cache (Country Caching For WP Super Cache)
- Active installs: 200
- Event: #2524
code_pattern· critical · 2026-05-08 09:56:56 - Baseline version: none — no clean pre-suspect release
- Head version:
0.8.0✓ - Author:
wrigs1(joined wp.org 2014, 23 commits to this plugin, last activity 2021-03-24) - Plugin status on wp.org: OPEN (200 active installs, abandoned ~5 years)
Summary
What's flagged. The plugin wires the Yahnis Elsts Plugin Update Checker (PUC) into a literal-placeholder URL that the author never replaced before publishing:
cc_wpsc_init.php:17-18
$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker(
'http://blog.XXXXXXXX.com/meta_ccwpsc.json',
__FILE__,
'country-caching-extension-for-wp-super-cache'
);The string XXXXXXXX is a copy-paste template the author intended to replace with their real domain. They didn't. The placeholder shipped to wordpress.org in 0.8.0 (last release, 2021-03-24).
Why this is dormant supply-chain risk. The parent domain xxxxxxxx.com is registered (since 2000-08-09, registrar DomainCostClub.com / Global Domains International, last changed 2025-08-05). blog.xxxxxxxx.com resolves to the parking provider's IP. Today the URL times out; nothing useful served. But the registered owner can at any moment:
1. Configure the blog. subdomain 2. Serve a properly-formatted meta_ccwpsc.json indicating a new version + zip URL 3. Trigger automatic plugin updates on every site running this plugin (~200 installs) 4. Plugin code installs run with full author privileges
This is the classic PUC supply-chain vector that was used in the 2021 anadnet/quick-pagepost-redirect-plugin compromise (audit #12 lineage), only the destination has not yet been activated.
create_function() finding is incidental — historical PHP 5 RCE primitive removed in PHP 8. Plugin is unmaintained and would crash on PHP 8 anyway. Not the dominant concern.
Exposure. Currently 200 active installs. Plugin is live on wordpress.org despite 5-year inactivity.
Verdict
suspicious
Recommendation to wp.org
Close plugin for inactivity + dormant supply-chain attack surface. Author has not touched the plugin in 5 years; placeholder URL with registered parent domain is a latent vulnerability that any future attacker (or current parking-network owner pivoting their business model) can exploit without code access.
Added files (0)
_No new files between baseline and head._
Suspicious pattern hits (2)
puc_update_hijack — 1 hit
cc_wpsc_init.php:17—$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker('http://blog.XXXXXXXX.com/meta_ccwpsc.json', __FILE__, 'country-caching-extension-for-wp-super-cache');
createfunc — 1 hit
inc/wp-php53.php:42—$notice_handler = create_function('', ...— incidental to abandoned-plugin status; not the focus of this audit.
IOCs to extract
- kind: code_pattern, value: blog.XXXXXXXX.com, confidence: medium
- kind: url, value: http://blog.XXXXXXXX.com/meta_ccwpsc.json, confidence: medium
- kind: code_pattern, value: puc_placeholder_url_with_registered_parent, confidence: medium
Full diff
_No diff available (one or both versions failed to export)._
New rule recommendation
PucPlaceholderUrl — fires when Puc_v4_Factory::buildUpdateChecker (or Factory::buildUpdateChecker) is called with a URL whose host contains a literal-placeholder pattern (/X{4,}/, /your[-_]/i, /example\./i) and the parent registrable domain resolves via DNS. The combination differentiates harmless dev placeholders (parent unregistered) from latent attack surfaces (parent already owned by someone).