Audits

Verdict: SUSPICIOUS. The legitimate Kirki Customizer Framework (Aristeides Stathopoulos, 2014–2023, 500,000 active installs, used by hundreds of WordPress themes as a dependency) was effectively replaced at v6.0.0 (rele…

This audit re-examines the JoomSky vendor portfolio after audit #23 found setup.joomsky.com was the C2 endpoint for an eval(curl_exec(JCONSTINST)) remote-PHP-execution primitive shipped in js-support-ticket through 2017…

What's flagged. Same author + same pattern as audit #36 (country-caching-extension-for-wp-super-cache). The plugin wires the Yahnis Elsts Plugin Update Checker (PUC) into a literal-placeholder URL that the author never …

What's flagged. The plugin wires the Yahnis Elsts Plugin Update Checker (PUC) into a literal-placeholder URL that the author never replaced before publishing: `` cc_wpsc_init.php:17-18 $myUpdateChecker = Puc_v4_Factory:…

Verdict: SUSPICIOUS. On 2026-05-06, codeandcore released v4.1.2 of WYSIWYG Character Limit for ACF with a single line change: the activation/opt-in/uninstall tracker that POSTed to wordpress-plugins.pro/receiver.php was…

Verdict: SUSPICIOUS — vendor self-own, not a supply-chain attack. muchat-ai v2.0.55 (released 2026-04-29 to wp.org, ~100 active installs) ships with API authentication explicitly disabled. The plugin's AuthMiddleware::v…

Verdict: SUSPICIOUS. Speedy Go v2.1.0 (released 2026-05-04) is a hostile-shape release pushed to the wp.org slug under the legitimate author's account. The changelog literally advertises "Bypassed all API key and licens…