WP Beacon

awesomesupport

@awesomesupport · wordpress.org profile ↗
Member since
2016-08-07
Location
Toronto, Canada
Employer
Job title
Authored
1
SVN commit access
1
Readme contributor
0
Combined install base
6k+ across 1 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Awesome Support – WordPress HelpDesk & Support Plugin Resolved · benign_architectural_concern 2d ago
Slugawesome-support
Patternunserialize_after_remote_call
Kindbuiltin
Version6.3.8
Hit count1
First hit
File
includes/gas-framework/inc/scssphp/scss.inc.php
Line
3,675
Snippet
L3670: $response = wp_remote_get($icache); → L3675: $imports = @unserialize( $body, ['allowed_classes' => false] );
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "awesome-support",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "6.3.8",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/gas-framework/inc/scssphp/scss.inc.php",
        "line": 3675,
        "snippet": "L3670: $response = wp_remote_get($icache);  \u2192  L3675: $imports = @unserialize( $body, ['allowed_classes' => false] );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Plugins authored (1)

Plugin Version Installs Last updated Status
Awesome Support – WordPress HelpDesk & Support Plugin ·awesome-support 6.3.8 6k+ 1mo ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Awesome Support – WordPress HelpDesk & Support Plugin awesomesupport 6k+ 93 9y ago 7y ago Active