WP Beacon
Campaign Codeandcore 2 audits
See also: #34 speedy-go

← All audits

Audit #38 Suspicious

WYSIWYG Character Limit for ACF · 100 installs · baseline 4.1.1 → head 4.1.2 · closed 1mo ago

Actor: codeandcore (Code and Core, codeandcore.com)
Show full summary

Verdict: SUSPICIOUS. On 2026-05-06, codeandcore released v4.1.2 of WYSIWYG Character Limit for ACF with a single line change: the activation/opt-in/uninstall tracker that POSTed to wordpress-plugins.pro/receiver.php was switched back to red-fly-431376.hostingersite.com/receiver.php. The changelog and commit message describe the release as "Added automatic redirect to settings page" — they do not mention the endpoint change. The plugin's deactivation feedback handler still POSTs to wordpress-plugins.pro (unchanged).

A portfolio-wide walk reframes what this swap actually is. Both endpoints have been in continuous use across codeandcore's 10-plugin portfolio for months: red-fly-431376.hostingersite.com was the original endpoint shipped with the deactivation-feedback framework starting v1.1.0 of code-and-core-remove-empty-p-tags (2025-11-25), and rolled across 8 sibling plugins through Feb 2026. Then on 2026-03-18, codeandcore migrated the entire portfolio to wordpress-plugins.pro in a synchronized wave. The 2026-05-06 wysiwyg release is the first plugin to flip back. So this is not "evasion to a fresh anonymous host after audit #34 flagged the prior one" — it's ongoing infrastructure ping-pong between two codeandcore-operated anonymous hosts.

What remains suspicious is the style: neither endpoint is branded to codeandcore.com, the swaps are concealed behind unrelated changelog copy, and the HMAC signature with hardcoded secret is security theater (the secret ships in plugin source). The plugin contains no malicious code paths — same author throughout, no upload primitives, no eval-of-remote-response, no auth bypass, no obfuscated execution. Telemetry payload is analytics-grade (site URL, plugin/WP/theme versions, locale, timestamp), not credentials.

Sites running v4.1.2 are not at risk of compromise. Recommended action: either uninstall to avoid the telemetry, or set tracking opt-in to "no" via Settings → WYSIWYG Character Limit. If you ever deactivate, dismiss the feedback modal rather than submitting it (the deactivation POST is not gated by the opt-in).

⚠️
Pattern detected — pending vendor response or further evidence.

Not yet confirmed malicious. Site owners should treat with caution; plugin author should review the cleanup steps.

If you run wysiwyg-character-limit-for-acf on your site

Verify your install matches the wp.org canonical version:

wp plugin verify-checksums wysiwyg-character-limit-for-acf

A patched build isn't yet published for this audit. Check the security advisories index or remove the plugin until one is available.

If you're the plugin author

Your site is not compromised. v4.1.2 contains no malware, no upload primitive, no auth bypass, and no remote code execution. The concern is the destination of the plugin's analytics telemetry, not the data itself.

## What the plugin sends

Every plugin install / opt-in / deactivation / uninstall event POSTs an AES-256 wrapped payload containing your site URL, plugin name & version, PHP version, WordPress version, theme name & version, multisite flag, locale, and a timestamp. No login credentials, no post content, no user data, no options table dump.

The main tracking endpoint (red-fly-431376.hostingersite.com/receiver.php) only fires when you have opted in via the settings page. The deactivation feedback endpoint (wordpress-plugins.pro/deactive-receiver.php) fires whenever you submit the deactivation feedback modal regardless of opt-in.

## If you want to keep the plugin

  1. Settings → WYSIWYG Character Limit: ensure "Tracking" is set to No.
  2. If you ever deactivate the plugin, dismiss the feedback modal rather than submitting it — that prevents the deactivation POST.
  3. Optionally, block both hosts at the firewall / WAF level:
  • red-fly-431376.hostingersite.com
  • wordpress-plugins.pro

## If you want to remove the plugin

Standard uninstall via Plugins → Installed Plugins → Deactivate → Delete is safe. Dismiss the deactivation feedback modal during the deactivate step to avoid the final telemetry POST.

## Vendor disclosure

This audit has been published. We have not contacted codeandcore directly; the vendor is welcome to respond and we will update this audit with their statement and any subsequent endpoint changes. A clean update that (a) removes the anonymous Hostinger subdomain in favor of an endpoint on the vendor's own codeandcore.com domain and (b) accurately documents telemetry destinations in the changelog would resolve the suspicious classification.

The label clears automatically on the next wp beacon scan-deltas once the cleanup conditions above are met.

Plugins under the same committer's SVN access

codeandcore holds push access to 6 plugins totalling 350 active installs. Each non-target plugin scans clean today but represents a one-commit hijack opportunity.

WYSIWYG Character Limit for ACF — this audit
100
Slug Search and Admin Columns — clean code, same SVN account (latent risk)
100
Codeandcore User Registration for CF7 — clean code, same SVN account (latent risk)
50
Code and Core Remove Empty P Tags — clean code, same SVN account (latent risk)
40
Image Preview for ACF Field — clean code, same SVN account (latent risk)
40
Speedy Go — clean code, same SVN account (latent risk)
20

Plugin version history

Every release on wp.org for this plugin, color-coded by relationship to the incident. The compromise window shows where the wp.org Plugin Review Team deleted the malicious tags from SVN — those versions cannot be re-downloaded today.

  1. Clean 7 earlier releases before the incident
    • 1.0
    • 2.0
    • 2.0.1
    • 3.0.0
    • 4.0.0
    • 4.0.1
    • 4.1.0
  2. 4.1.1 Last clean Last clean release before incident
  3. 🛑 Compromise window 49 days · 2026-03-18 → 2026-05-06

    Malicious releases pushed during this window were deleted from SVN by the wp.org Plugin Review Team. Last malicious tag: 4.1.2.

  4. 4.1.2 PRT cleanup PRT cleanup release — incident closed

Endpoint timeline across the codeandcore portfolio

Walking the per-commit history of every codeandcore plugin (10 slugs total, 9 with the tracking framework) reveals that red-fly-431376.hostingersite.com and wordpress-plugins.pro are both codeandcore-operated infrastructure — not "old flagged host" + "new evasion host." The portfolio has ping-ponged between them:

Phase 1 — red-fly-431376.hostingersite.com was the original (Nov 2025 → Feb 2026)

DatePluginVersionWhat landed
2025-11-25code-and-core-remove-empty-p-tagsv1.1.0red-fly receiver introduced
2025-12-10wysiwyg-character-limit-for-acfv4.0.0red-fly receiver introduced
2025-12-22slug-search-and-admin-columnsv1.0.0red-fly receiver introduced
2026-02-05cross-site-copy-field-for-acfv1.xred-fly deactive-receiver introduced
2026-02-05image-preview-for-acf-fieldv1.1.0red-fly receiver + deactive-receiver introduced
2026-02-05wysiwyg-character-limit-for-acfv4.1.0red-fly deactive-receiver added
2026-02-24speedy-gov1.0.1red-fly receiver + deactive-receiver introduced
2026-03-18admin-login-guard-brandingv1.0.0red-fly receiver introduced

Phase 2 — synchronized migration to wordpress-plugins.pro (Mar 2026)

DatePluginVersionChange
2026-03-18wysiwyg-character-limit-for-acfv4.1.1red-fly → wordpress-plugins.pro
2026-03-18slug-search-and-admin-columnsv2.0.1red-fly → wordpress-plugins.pro
2026-03-18image-preview-for-acf-fieldv1.1.1red-fly → wordpress-plugins.pro
2026-03-18cross-site-copy-field-for-acfv1.2.0red-fly → wordpress-plugins.pro
2026-03-18admin-login-guard-brandingv1.0.1red-fly → wordpress-plugins.pro (migration shipped same day red-fly was added)
2026-03-19code-and-core-remove-empty-p-tagsv2.0.0red-fly → wordpress-plugins.pro
2026-05-04speedy-gov2.1.0red-fly → wordpress-plugins.pro

Phase 3 — wysiwyg flips back to red-fly (May 2026)

DatePluginVersionChange
2026-05-06wysiwyg-character-limit-for-acfv4.1.2wordpress-plugins.pro → red-fly (main receiver only; deactive stays on wordpress-plugins.pro)

The May 6 release is the first plugin in the portfolio to flip back to red-fly. The other 8 plugins remain on wordpress-plugins.pro. The changelog reads "Added automatic redirect to settings page" — the actual diff at acf-wysiwyg-character-limit.php:577-578:

-        'https://wordpress-plugins.pro/receiver.php',
+        'https://red-fly-431376.hostingersite.com/receiver.php',

Current state across the portfolio

PluginLatest tagMain receiverDeactivation receiver
wysiwyg-character-limit-for-acfv4.1.2red-flywordpress-plugins.pro
slug-search-and-admin-columnsv2.0.1wordpress-plugins.prowordpress-plugins.pro
codeandcore-user-registration-cf7v1.1.2wordpress-plugins.prowordpress-plugins.pro
code-and-core-remove-empty-p-tagsv2.0.1wordpress-plugins.prowordpress-plugins.pro
image-preview-for-acf-fieldv1.1.3wordpress-plugins.prowordpress-plugins.pro
speedy-gov2.1.0wordpress-plugins.prowordpress-plugins.pro
cross-site-copy-field-for-acfv1.2.1wordpress-plugins.prowordpress-plugins.pro
admin-login-guard-brandingv1.0.1wordpress-plugins.prowordpress-plugins.pro
code-and-core-repeater-fields-for-contact-form-7v1.0.0wordpress-plugins.prowordpress-plugins.pro
one-click-block-for-elementorv1.0.0(no tracking framework)(none)

Telemetry payload

// acf-wysiwyg-character-limit.php:496-517 (HEAD)
$base_payload = [
    'site_url'       => home_url(),
    'plugin_name'    => $info['Name'],
    'plugin_version' => $info['Version'],
    'event'          => $event,           // Activation / Optin Yes / Deactivation / Uninstall
    'php_version'    => phpversion(),
    'wp_version'     => get_bloginfo('version'),
    'theme_name'     => wp_get_theme()->get('Name'),
    'theme_version'  => wp_get_theme()->get('Version'),
    'is_multisite'   => is_multisite() ? 'yes' : 'no',
    'site_language'  => get_locale(),
    'timestamp'      => time(),
];

Wrapped in AES-256-CBC with a hardcoded secret (8jF29fLkmsP0V9as0DLkso2P9lKs29FjsP4k2F0lskM2k) and an HMAC-SHA256 signature using the same key. Because the secret ships in plugin source, the HMAC is reproducible by anyone reading the code — it is not a security boundary. Identical secret across every codeandcore plugin and across both endpoints, confirming both hosts are operated by the same vendor.

The main tracker enforces opt-in (acf-wysiwyg-character-limit.php:564):

if (get_option('acf_wysiwyg_cl_tracking_optin') !== 'yes') { return; }

The deactivation handler does not check this option — it fires whenever the user submits the deactivation feedback modal.

Live endpoint state (2026-05-08)

$ curl -X POST https://wordpress-plugins.pro/deactive-receiver.php -d 'data=test&signature=test'
HTTP/2 403
Invalid signature

$ curl -X POST https://red-fly-431376.hostingersite.com/receiver.php -d 'data=test&signature=test'
HTTP/2 stream error (active receiver, not a static page)

$ curl https://wordpress-plugins.pro/
HTTP/2 401
Authentication required.

Both receivers are operational. The signature-validation behavior at wordpress-plugins.pro confirms it actively processes payloads. The host root is behind HTTP basic auth — there is no public landing page identifying who operates it. Same for the red-fly Hostinger subdomain. Neither endpoint is branded to codeandcore.com, even though every other codeandcore plugin file references that domain in headers, support links, and "Author URI" fields.

Portfolio-wide attack-shape sweep

Across all 10 codeandcore plugins:

  • No eval / assert / create_function / preg_replace /e / dynamic execution anywhere
  • No move_uploaded_file / wp_handle_upload / $_FILES primitives anywhere
  • No update-channel hijack (no PUC, no custom auto-updater)
  • No authentication backdoor or hardcoded admin grant
  • No obfuscation beyond the standard AES wrapper around the analytics payload
  • No other anonymous-host endpoints (no Netlify / Vercel / fly.dev / cloudfront subdomains)
  • No SVN-credential change or new committercodeandcore is sole committer for every plugin in the portfolio

Hijack-indicator matrix

IndicatorResult
Sole committer for ≥2 years?partial — codeandcore is sole committer for every plugin's full life
Sudden new committer before this release?no
Author profile drift?no — established codeandcore.com vendor with documented portfolio
Code-level malware patterns?no
Outbound C2 / known bad domains?partial — both wordpress-plugins.pro and red-fly-*.hostingersite.com are anonymous hosts. Both are codeandcore-operated, both have been in active use for months. The "anonymous-domain" property is real, the "fresh-host evasion" framing initially raised here is not
New SVN credentials before this release?no

Five of six indicators clean. The one positive indicator is the anonymous nature of both telemetry hosts, not the swap itself.

Comparable cases

  • Audit #34 — speedy-go v2.1.0 (codeandcore): same author, same telemetry framework. The wp.org-rule violation called out in #34 (a license-bypass refactor with the changelog literally announcing "Bypassed all API key and license verification") is independent of the endpoint question and remains unresolved.
  • Audit #33 — mathewt 5-plugin Netlify telemetry cluster: hobbyist Freemius-style deactivation telemetry to a Netlify subdomain, BENIGN verdict. Architectural shape is similar (modal → admin-ajax → encrypted POST to anonymous host), but mathewt's host was at least branded to a single Netlify project; codeandcore uses two separate generic anonymous hosts.

What is not present

  • No eval / include / require of remote response content
  • No file upload primitives or writes outside the plugin's own directory
  • No update-channel hijack
  • No authentication backdoor or magic header
  • No obfuscation beyond the standard AES wrapper
  • No third anonymous endpoint we hadn't already discovered
  • No SVN-credential change, no new committer, no compromised account signal

Why suspicious rather than benign

Even with the corrected understanding (ping-pong between two long-running vendor hosts, not detection-evasion), the pattern remains hygiene-problem shape:

1. Neither telemetry endpoint is branded to codeandcore.com despite the vendor having an established public domain 2. Endpoint swaps are systematically concealed in changelog copy ("Added automatic redirect to settings page" hides an endpoint swap; "Enhanced: Deactivation feedback popup UI" hid the original red-fly addition) 3. The pattern of portfolio-wide synchronized swaps (Mar 2026 wave) plus the May 2026 outlier suggests further migrations may follow without disclosure 4. HMAC secret hardcoded in source is security theater — the signature provides no integrity guarantee

A clean release that (a) consolidates onto a codeandcore.com subdomain and (b) accurately documents telemetry destinations in changelogs would resolve the suspicious classification. We have not contacted codeandcore directly; the vendor is welcome to respond.

Everything in this audit is reproducible from the links cited above: SVN log, RDAP records, GitHub repositories, wp.org forum threads, and any live endpoints. Full WP Beacon scan logs and any associated zip artifacts are available on request from the investigator.