Verdict: SUSPICIOUS. The legitimate Kirki Customizer Framework (Aristeides Stathopoulos, 2014–2023, 500,000 active installs, used by hundreds of WordPress themes as a dependency) was effectively replaced at v6.0.0 (rele…
This audit re-examines the JoomSky vendor portfolio after audit #23 found setup.joomsky.com was the C2 endpoint for an eval(curl_exec(JCONSTINST)) remote-PHP-execution primitive shipped in js-support-ticket through 2017…
What's flagged. Same author + same pattern as audit #36 (country-caching-extension-for-wp-super-cache). The plugin wires the Yahnis Elsts Plugin Update Checker (PUC) into a literal-placeholder URL that the author never …
What's flagged. The plugin wires the Yahnis Elsts Plugin Update Checker (PUC) into a literal-placeholder URL that the author never replaced before publishing: `` cc_wpsc_init.php:17-18 $myUpdateChecker = Puc_v4_Factory:…
Verdict: SUSPICIOUS. On 2026-05-06, codeandcore released v4.1.2 of WYSIWYG Character Limit for ACF with a single line change: the activation/opt-in/uninstall tracker that POSTed to wordpress-plugins.pro/receiver.php was…
Verdict: SUSPICIOUS — vendor self-own, not a supply-chain attack. muchat-ai v2.0.55 (released 2026-04-29 to wp.org, ~100 active installs) ships with API authentication explicitly disabled. The plugin's AuthMiddleware::v…
Verdict: SUSPICIOUS. Speedy Go v2.1.0 (released 2026-05-04) is a hostile-shape release pushed to the wp.org slug under the legitimate author's account. The changelog literally advertises "Bypassed all API key and licens…
Verdict: BENIGN. Five plugins published by author Mathew (mathewt) on wp.org — add-as-preferred-source (90 installs), browser-address-bar-color-changer (50), image-zoom-on-hover (30), disable-right-click-content-copy-pr…
Verdict: benign — wp.org guideline violation, not malware. WP Product Feed Manager (display name "WPMR Google Feed Manager for WooCommerce") was closed by wp.org on 2026-04-27 with the standard silent-closure notice ("T…
Verdict: benign — wp.org guideline violation, not malware. Greenshift was closed by wp.org twice in four months (2026-01-15 and 2026-04-29) over the same root cause: the free plugin shipped a full paid-license activatio…
Historical audit. The proinstaller module shipped versions 1.0.3 through ~2.0.1 (2015-02 to 2017-03) carrying an eval(curl_exec(JCONSTINST)) primitive — a vendor-controlled remote-PHP-execution channel pointed at setup.…
Suspect-shape but multiply-unreachable dead code — benign. WPBot's includes/openai/plugin-upgrader/ and includes/integration/openai/plugin-upgrader/ directories ship a self-update class (QCLD_openaiaddon_AutoUpdate) who…
Suspect-shape but structurally unreachable — benign with one regression to flag. YARPP's version_info() matches the high-confidence catalog IOC unserialize_after_remote_call (@unserialize of wp_remote_post body, hardcod…
Clean — no supply-chain anomaly. Full git-level audit of ilab-media-tools (Media Cloud by interfacelab) covering all 162 published versions back to 2016-07. Single committer for 8 years, zero detection events, zero IOC …
Historical PHP Object Injection chain in Admitad integration — gated since v6.0.0 (2023-08-21), endpoint dead. Two compounding patterns in application/libs/admitad/AdmitadProducts.php + application/libs/RestClient.php f…
Verdict: benign — abandonment closure, not malware. Subscribe To Comments Reloaded was closed by wp.org on 2026-04-28 with the standard silent-closure notice ("This closure is temporary, pending a full review"). The clo…
Confirmed malicious supply-chain compromise. Between 2024-04-05 and 2024-06-22 the WarfarePlugins wp.org committer account was used to push six tagged releases (4.4.6.4, 4.4.6.5, 4.4.6.6, 4.4.6.8, 4.4.6.9, 4.4.7.1) cont…
Verdict: benign — portfolio-wide guideline violation, not malware. On 2026-04-27 WordPress.org closed 83 plugins from WPFactory's family of author accounts (wpcodefactory, algoritmika, and woobewoo) in a single one-hour…
Update-checker hijack with active stored-XSS / RCE primitives served from a Panama-fronted C2. scroll-top (20,000 active installs) was sold by original author Ga Satrya (@gasatrya) to an actor identified as Benjamin (wp…
Who made the change. Committer thanghoang pushed their first commit to this plugin on 2024-07-09, when their WordPress.org account was only 12 days old (created 2024-06-27). New-account commits on established plugins ar…
Verdict: legitimate team onboarding — not a takeover. alexopen is a Smash Balloon employee ("Alex at Smash Balloon" display name), added as a committer to the five Smash Balloon social-feed plugins owned by Awesome Moti…
This is a previously-undocumented SiteGuarding supply-chain backdoor burner. It was surfaced by hunting for plugins that WP.org cleaned on closure — i.e. where a Plugin Review Team account force-pushed a code change at …
Verdict: malicious. Confirmed supply-chain compromise matching the disclosed attack at anchor.host/how-i-caught-a-wordpress-plugin-supply-chain-attack and covered by TheNextWeb, Yahoo Tech, BigGo, byteiota, and others. …
The original author intentionally weaponized wordpress.org distribution to seed an out-of-band update channel they controlled — and then served tampered builds through that channel after the wp.org-distributed code went…
Marketplace acquisition of an established 30-plugin portfolio used as a vehicle for a fleet-wide PHP-deserialization RCE backdoor with on-chain C2 resolution. A buyer identified only as "Kris" purchased the entire Essen…
Two distinct supply-chain attack chains in a single 6,000-install plugin, both operated by SiteGuarding (siteguarding.com) through two anonymous wp.org committer accounts. wp.org Plugin Review Team (PRT, plugin-master) …
Attacker-controlled side-channel update endpoint shipped under the cover of "license validation" — same operator (SiteGuarding) and same sibling-plugin pair as audit #25 (wp-advanced-math-captcha). Where the wp-advanced…
A previously-undocumented SiteGuarding burner, surfaced by the clean-on-closure hunt and closed in the same 2026-04-07 wave that took down the two documented burners. The backdoor. speedup-optimization.php defines speed…
A SiteGuarding burner with a full remote-code-execution + persistence backdoor — Tier A. Surfaced by the closed-plugin blob scan (the new payload-decode scanner), which matched cmsplughub.com in the trunk that the old P…
A SiteGuarding burner with an undisclosed wp-config.php persistence injection — Tier A. Surfaced by the closed-plugin blob scan, which matched safetybis.com in the trunk. The persistence mechanism. Patch_WPconfig_file()…
A SiteGuarding burner that routes through the safetybis.com C2 — Tier B (undisclosed phone-home / proxy, no in-plugin RCE sink). Surfaced by the closed-plugin blob scan via siteguarding.com + safetybis.com references in…
A SiteGuarding security-branded front, surfaced by the clean-on-closure hunt. Unlike the documented closures that left malware in trunk, WP.org's plugin-master force-pushed a "Removing" commit at closure that stripped t…
Verdict: malicious — a previously-undocumented 2024 wave of nine SiteGuarding supply-chain burner plugins, each on its own throwaway wp.org account. This is a distinct third operational phase of the SiteGuarding operati…
Confirmed malicious supply-chain compromise of themerex SVN account, recovered by the legitimate maintainer. Between 2024-06-23 22:47 UTC and 2024-06-24 04:10 UTC the themerex account was used to push two malicious "Upg…
Confirmed malicious supply-chain compromise — 30 commits in a 28-hour burst. Between 2024-06-21 23:21 UTC and 2024-06-24 03:50 UTC the legitimate blazeretail SVN account was used to push 30 commits (all with the message…
Confirmed malicious supply-chain compromise — stuartobrien SVN account compromised after 8-year dormancy. The plugin had been completely silent since 2016-10-27 (r1522935). On 2024-06-21 23:55 UTC the dormant account wa…
Confirmed malicious supply-chain compromise — and the only one in the wave that was self-cleaned by the legitimate author before PRT intervened. Between 2024-06-23 22:42 UTC and 2024-06-24 04:07 UTC the pedrogusmao02 SV…
SiteGuarding 27-plugin portfolio (2013-2020) — 15 plugins shipped siteguarding_tools.php v1.7 RCE backdoor INLINE in the plugin folder; 12 sibling plugins shipped phone-home guideline violations. wp.org closed all 27 in…
WP Beacon