WP Beacon

akshayaswaroop

@akshayaswaroop · wordpress.org profile ↗
Member since
2017-07-30
Location
Employer
Job title
Authored
5
SVN commit access
4
Readme contributor
0
Combined install base
2k+ across 5 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Web Server Information Resolved · fp_ipapi_documented_serialized_php_endpoint 6d ago
Slugwpheka-web-server-information
Patternunserialize_after_remote_call
Kindbuiltin
Version1.7
Hit count1
First hit
File
includes/class-wpheka-info-admin-webserver.php
Line
109
Snippet
L109: $query = @unserialize( wp_remote_retrieve_body( wp_remote_get( 'http://ip-api.com/php → L109: $query = @unserialize( wp_remote_retrieve_body( wp_remote_get( 'http://ip-api.com/php
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "wpheka-web-server-information",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.7",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/class-wpheka-info-admin-webserver.php",
        "line": 109,
        "snippet": "L109: $query = @unserialize( wp_remote_retrieve_body( wp_remote_get( 'http://ip-api.com/php  \u2192  L109: $query = @unserialize( wp_remote_retrieve_body( wp_remote_get( 'http://ip-api.com/php"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Plugins authored (5)

Plugin Version Installs Last updated Status
WC Moneris Payment Gateway ·wc-moneris-payment-gateway 3.7.0 900 2mo ago Active
WC Search Orders By Product ·wc-search-orders-by-product 3.2 800 3mo ago Active
WC Backorder Split ·wc-backorder-split 2.2.0 50 1mo ago Active
Web Server Information ·wpheka-web-server-information 1.7 20 3mo ago Active
Request For Quote ·wpheka-request-for-quote 1.7.2 10 15d ago Active

SVN commit access (4)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
WC Moneris Payment Gateway akshayaswaroop 900 92 8y ago 2mo ago Active
WC Search Orders By Product akshayaswaroop 800 44 8y ago 3mo ago Active
Web Server Information akshayaswaroop 20 15 5y ago 3mo ago Active
WC Backorder Split akshayaswaroop 50 1 7y ago 1mo ago Active