Audit #37 Suspicious

Category Country Aware WordPress · 200 installs · baseline — → head 1.2.3 · by beacon-scan-skill · closed 1mo ago

Show full summary

What's flagged. Same author + same pattern as audit #36 (country-caching-extension-for-wp-super-cache). The plugin wires the Yahnis Elsts Plugin Update Checker (PUC) into a literal-placeholder URL that the author never replaced before publishing:

cca_init.php:20
$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker(
    'http://blog.XXXXXXXXXXXX.com/meta_cca.json',
    __FILE__,
    'category-country-aware'
);

Why this is dormant supply-chain risk. The parent domain xxxxxxxxxxxx.com is registered (since 1997-08-21 — 28 years old, registrar Sea Wasp / Fabulous.com — a domain-parking network, last changed 2025-08-12). Unlike audit #36, the destination is currently alive and serving redirects:

HTTP/1.1 301 Found
Location: http://kdop.com/meta_cca.json    →  also Sea Wasp/Fabulous.com
HTTP/1.1 301 Found
Location: http://freehat.com/BHP.mov/meta_cca.json

Currently those redirects terminate in HTML (parking ad pages, not valid PUC JSON), so PUC's parse fails and no update fires. But the parking provider — Sea Wasp / Fabulous.com — has live infrastructure routing requests through their network for these placeholder URLs right now. Any change to their behavior, any acquisition of the domain by a third party, or any owner-decision to start serving JSON at these paths would auto-update the ~200 active installs.

Other patterns flagged but determined non-malicious by review:

eval('?>' . $additional_content) at lines 321 and 741 — both gated by apply_filters('cca_text_allow_php', FALSE). Default-off opt-in PHP-in-widget feature. Legacy pattern from the original WordPress core "Text Widget with PHP" model.
base64_decode at line 149 — part of an openssl_decrypt helper used by cca_decrypt_emailaddress for email-address obfuscation. Author-intentional anti-scraping feature.
create_function() in inc/wp-php53.php — historical RCE primitive removed in PHP 8. Incidental to abandoned-plugin status.

None of these are the dominant concern. The dominant concern is the PUC placeholder URL with active parking infrastructure.

Exposure. Currently 200 active installs. Plugin is live on wordpress.org despite 5-year inactivity.

⚠️

Pattern detected — pending vendor response or further evidence.

Not yet confirmed malicious. Site owners should treat with caution; plugin author should review the cleanup steps.

If you run `category-country-aware` on your site

Verify your install matches the wp.org canonical version:

wp plugin verify-checksums category-country-aware

A patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.

If you're the plugin author

Cleanup steps to clear this label have not yet been documented for this audit. Contact the investigator listed above.

The label clears automatically on the next wp beacon scan-deltas once the cleanup conditions above are met.

Plugins under the same committer's SVN access

wrigs1 holds push access to 5 plugins totalling 410 active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.

Category Country Aware WordPress — this audit

200

Country Caching For WP Super Cache — clean code, same SVN account (latent risk)

200

Country Caching Extension — clean code, same SVN account (latent risk)

British Embassy Finder — clean code, same SVN account (latent risk)

—

Travel Advice by Country Widget — closed by wp.org

—

IOCs extracted (4)

Kind	Value	Confidence
code_pattern	`blog.XXXXXXXXXXXX.com`	medium
domain	`freehat.com`	low
domain	`kdop.com`	low
url	`http://blog.XXXXXXXXXXXX.com/meta_cca.json`	medium

Audit #37 — category-country-aware

Plugin: category-country-aware (Category Country Aware WordPress)
Active installs: 200
Event: #2527 code_pattern · critical · 2026-05-08 09:56:56
Baseline version: none — no clean pre-suspect release
Head version: 1.2.3 ✓
Author: wrigs1 (joined wp.org 2014, 49 commits to this plugin, last activity 2021-03-24)
Plugin status on wp.org: OPEN (200 active installs, abandoned ~5 years)

Summary

cca_init.php:20
$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker(
    'http://blog.XXXXXXXXXXXX.com/meta_cca.json',
    __FILE__,
    'category-country-aware'
);

HTTP/1.1 301 Found
Location: http://kdop.com/meta_cca.json    →  also Sea Wasp/Fabulous.com
HTTP/1.1 301 Found
Location: http://freehat.com/BHP.mov/meta_cca.json

Other patterns flagged but determined non-malicious by review:

eval('?>' . $additional_content) at lines 321 and 741 — both gated by apply_filters('cca_text_allow_php', FALSE). Default-off opt-in PHP-in-widget feature. Legacy pattern from the original WordPress core "Text Widget with PHP" model.
base64_decode at line 149 — part of an openssl_decrypt helper used by cca_decrypt_emailaddress for email-address obfuscation. Author-intentional anti-scraping feature.
create_function() in inc/wp-php53.php — historical RCE primitive removed in PHP 8. Incidental to abandoned-plugin status.

None of these are the dominant concern. The dominant concern is the PUC placeholder URL with active parking infrastructure.

Exposure. Currently 200 active installs. Plugin is live on wordpress.org despite 5-year inactivity.

Verdict

suspicious

Recommendation to wp.org

Close plugin for inactivity + dormant supply-chain attack surface. The destination domain (xxxxxxxxxxxx.com) is currently routed through a parking network that already serves live HTTP responses on the exact path PUC polls (/meta_cca.json); only the response content stands between the current null state and an actual auto-update event. Author has not touched the plugin in 5 years.

Added files (0)

_No new files between baseline and head._

Suspicious pattern hits (5)

`puc_update_hijack` — 1 hit

cca_init.php:20 — $myUpdateChecker = Puc_v4_Factory::buildUpdateChecker('http://blog.XXXXXXXXXXXX.com/meta_cca.json', __FILE__, 'category-country-aware');

`eval_call` — 2 hits (reviewed: gated, non-malicious)

cca_textwidget.php:321 — eval('?>' . $additional_content); // do php (gated by cca_text_allow_php filter, default FALSE)
cca_textwidget.php:741 — eval('?>' . $content); // apply php if allowed (same gate)

`base64_decode` — 1 hit (reviewed: legitimate)

cca_textwidget.php:149 — $output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv); (email obfuscation helper)

`createfunc` — 1 hit

inc/wp-php53.php:42 — $notice_handler = create_function('', ... — incidental to abandoned-plugin status.

IOCs to extract

kind: code_pattern, value: blog.XXXXXXXXXXXX.com, confidence: medium
kind: url, value: http://blog.XXXXXXXXXXXX.com/meta_cca.json, confidence: medium
kind: domain, value: kdop.com, confidence: low
kind: domain, value: freehat.com, confidence: low
kind: code_pattern, value: puc_placeholder_url_with_registered_parent, confidence: medium

Full diff

_No diff available (one or both versions failed to export)._

New rule recommendation

Same as audit #36: PucPlaceholderUrl — fires when Puc_v4_Factory::buildUpdateChecker (or Factory::buildUpdateChecker) is called with a URL whose host contains a literal-placeholder pattern (/X{4,}/, /your[-_]/i, /example\./i, /yourdomain\./i) and the parent registrable domain resolves via DNS. Pair with severity bump if the URL endpoint actually returns 200/3xx (live attack-surface confirmed) vs. just NXDOMAIN (theoretical only).

Cross-reference

Same author (wrigs1) and same dormant pattern as audit #36. The two audits should be cross-linked in the WP Beacon dashboard since one wp.org closure decision should cover both plugins.