WP Beacon

alexandre67fr

@alexandre67fr · wordpress.org profile ↗
Member since
2015-04-12
Location
Employer
Job title
Authored
1
SVN commit access
1
Readme contributor
0
Combined install base
1k+ across 1 plugins

Alerts (0)

No open alerts.

Show 2 resolved alerts
Critical code_scan_delta Formidable PRO2PDF Resolved · fp_unserialize_on_db_row_not_remote_body 6d ago
Slugformidablepro-2-pdf
Previous version3.23
Current version3.24
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinfpropdf.php626L613: $request = wp_remote_get($url); → L626: $files = @unserialize($row['value']);high
New finding count1
View raw JSON
{
    "slug": "formidablepro-2-pdf",
    "previous_version": "3.23",
    "current_version": "3.24",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "fpropdf.php",
            "line": 626,
            "snippet": "L613: $request = wp_remote_get($url);  \u2192  L626: $files = @unserialize($row['value']);",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}
Critical code_pattern Formidable PRO2PDF Resolved · benign_architectural_concern 1mo ago
Slugformidablepro-2-pdf
Patternunserialize_after_remote_call
Kindbuiltin
Version3.23
Hit count1
First hit
File
fpropdf.php
Line
604
Snippet
L591: $request = wp_remote_get($url); → L604: $files = @unserialize($row['value']);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "formidablepro-2-pdf",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "3.23",
    "hit_count": 1,
    "first_hit": {
        "file": "fpropdf.php",
        "line": 604,
        "snippet": "L591: $request = wp_remote_get($url);  \u2192  L604: $files = @unserialize($row['value']);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Plugins authored (1)

Plugin Version Installs Last updated Status
Formidable PRO2PDF ·formidablepro-2-pdf 3.24 1k+ 1mo ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Formidable PRO2PDF alexandre67fr 1k+ 118 11y ago 10y ago Active