WP Beacon

boldthemes

@boldthemes · wordpress.org profile ↗
Member since
2016-11-14
Location
Employer
Job title
Authored
8
SVN commit access
6
Readme contributor
0
Combined install base
59k+ across 8 plugins

Alerts (0)

No open alerts.

Show 4 resolved alerts
Critical code_scan_match Bold Timeline Lite Resolved · code_scan_fp_class_vendor_self_hosted_pro_updater 17d ago
Slugbold-timeline-lite
Finding count1
Findings
PatternKindFileLineSnippetConfidenceDetails
puc_update_hijackbuiltinbold-builder-light/bold-builder-light.php79$updateChecker = Puc_v4_Factory::buildUpdateChecker(high
Url
Url host
Slug arg
Resolved sha9bd1d2430f3c9cebc0b8531acd725caaaba3db67
View raw JSON
{
    "slug": "bold-timeline-lite",
    "finding_count": 1,
    "findings": [
        {
            "pattern": "puc_update_hijack",
            "kind": "builtin",
            "file": "bold-builder-light/bold-builder-light.php",
            "line": 79,
            "snippet": "$updateChecker = Puc_v4_Factory::buildUpdateChecker(",
            "confidence": "high",
            "details": {
                "url": null,
                "url_host": null,
                "slug_arg": null
            }
        }
    ],
    "resolved_sha": "9bd1d2430f3c9cebc0b8531acd725caaaba3db67"
}
Medium code_pattern Bold Timeline Lite Resolved · redetect_dupe_of_closed 27d ago
Slugbold-timeline-lite
Patternpuc_update_hijack
Kindbuiltin
Version1.2.8
Hit count1
First hit
File
bold-builder-light/bold-builder-light.php
Line
79
Snippet
$updateChecker = Puc_v4_Factory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "bold-timeline-lite",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.2.8",
    "hit_count": 1,
    "first_hit": {
        "file": "bold-builder-light/bold-builder-light.php",
        "line": 79,
        "snippet": "$updateChecker = Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}
Medium code_pattern Bold Timeline Lite Resolved · false_positive_gated_self_update 27d ago
Slugbold-timeline-lite
Patternpuc_update_hijack
Kindbuiltin
Version1.2.8
Hit count1
First hit
File
bold-builder-light/bold-builder-light.php
Line
79
Snippet
$updateChecker = Puc_v4_Factory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "bold-timeline-lite",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.2.8",
    "hit_count": 1,
    "first_hit": {
        "file": "bold-builder-light/bold-builder-light.php",
        "line": 79,
        "snippet": "$updateChecker = Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}
Medium code_pattern Bold Timeline Lite Resolved · false_positive_gated_self_update 28d ago
Slugbold-timeline-lite
Patternpuc_update_hijack
Kindbuiltin
Version1.2.8
Hit count1
First hit
File
bold-builder-light/bold-builder-light.php
Line
79
Snippet
$updateChecker = Puc_v4_Factory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "bold-timeline-lite",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.2.8",
    "hit_count": 1,
    "first_hit": {
        "file": "bold-builder-light/bold-builder-light.php",
        "line": 79,
        "snippet": "$updateChecker = Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

Plugins authored (8)

Plugin Version Installs Last updated Status
Bold Page Builder ·bold-page-builder 5.7.2 40k+ 1mo ago Active
Bold Timeline Lite ·bold-timeline-lite 1.2.8 10k+ 5mo ago Active
AIKO – AI Developer Lite ·aiko-developer-lite 2.0.3 6k+ 10mo ago Active
Customize Twenty Seventeen ·customize-twenty-seventeen 1.0.5 2k+ 4y ago Active
Customize Twenty Sixteen ·customize-twenty-sixteen 1.0.2 500 4y ago Active
Hero Posts Lite ·hero-posts-lite 1.0.6 300 12mo ago Active
OpenGraphiq Lite ·opengraphiq-lite 1.0.0 20 2y ago Active
Filter Everything Extra ·filter-everything-extra 1.0.0 1y ago Active

SVN commit access (6)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Bold Page Builder boldthemes 40k+ 200 9y ago 1mo ago Active
Bold Timeline Lite boldthemes 10k+ 56 6y ago 5mo ago Active
Hero Posts Lite boldthemes 300 27 2y ago 12mo ago Active
AIKO – AI Developer Lite boldthemes 6k+ 16 1y ago 10mo ago Active
Customize Twenty Sixteen boldthemes 500 11 9y ago 4y ago Active
Customize Twenty Seventeen boldthemes 2k+ 9 9y ago 4y ago Active