Code and Core

@codeandcore · wordpress.org profile ↗

Member since: 2024-04-24
Location: India
Employer: Code and core Tech LLP
Job title: Partner
Authored: 10
SVN commit access: 6
Readme contributor: 0
Combined install base: 360 across 10 plugins

Alerts (0)

No open alerts.

Show 2 resolved alerts

Critical code_pattern Speedy Go Resolved · fp_safe_unserialize_allowed_classes_false 6d ago

Slug	speedy-go
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`2.1.1`
Hit count	1
First hit	File `includes/api-key-api.php` Line 298 Snippet L290: $resbody = wp_remote_retrieve_body($response); → L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "speedy-go",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.1.1",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/api-key-api.php",
        "line": 298,
        "snippet": "L290: $resbody = wp_remote_retrieve_body($response);  \u2192  L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Critical code_scan_delta Speedy Go Resolved · fp_safe_unserialize_allowed_classes_false 6d ago

Slug speedy-go

Previous version 2.1.0

Current version 2.1.1

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`includes/api-key-api.php`	298	L290: $resbody = wp_remote_retrieve_body($response); → L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)	`high`

New finding count 1

View raw JSON

{
    "slug": "speedy-go",
    "previous_version": "2.1.0",
    "current_version": "2.1.1",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/api-key-api.php",
            "line": 298,
            "snippet": "L290: $resbody = wp_remote_retrieve_body($response);  \u2192  L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

Plugins authored (10)

Plugin	Version	Installs	Last updated	Status
Slug Search and Admin Columns ·`slug-search-and-admin-columns`	2.0.1	100	2mo ago	Active
WYSIWYG Character Limit for ACF ·`wysiwyg-character-limit-for-acf`	4.1.2	100	1mo ago	Active
Codeandcore User Registration for CF7 ·`codeandcore-user-registration-cf7`	1.1.2	50	1mo ago	Active
Code and Core Remove Empty P Tags ·`code-and-core-remove-empty-p-tags`	2.0.1	40	1mo ago	Active
Image Preview for ACF Field ·`image-preview-for-acf-field`	1.1.3	40	1mo ago	Active
Speedy Go ·`speedy-go`	2.1.1	20	18d ago	Active
Cross Site Copy Field for ACF ·`cross-site-copy-field-for-acf`	1.2.1	10	1mo ago	Active
One Click Block For Elementor ·`one-click-block-for-elementor`	1.0.0	—	10mo ago	Active
Code and Core Repeater Fields for Contact Form 7 ·`code-and-core-repeater-fields-for-contact-form-7`	1.0.0	—	2mo ago	Active
Admin Login Guard & Branding ·`admin-login-guard-branding`	1.0.1	—	2mo ago	Active

SVN commit access (6)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin	Primary author	Installs	Commits	First	Latest	Status
Slug Search and Admin Columns	codeandcore	100	6	5mo ago	2mo ago	Active
Image Preview for ACF Field	codeandcore	40	2	1y ago	1mo ago	Active
WYSIWYG Character Limit for ACF	codeandcore	100	1	1y ago	1mo ago	Active
Codeandcore User Registration for CF7	codeandcore	50	1	1y ago	1mo ago	Active
Speedy Go	codeandcore	20	1	7mo ago	18d ago	Active
Code and Core Remove Empty P Tags	codeandcore	40	1	6mo ago	1mo ago	Active