Code and Core

@codeandcore · wordpress.org profile ↗
Member since
2024-04-24
Location
India
Employer
Code and core Tech LLP
Job title
Partner
Authored
10
SVN commit access
6
Readme contributor
0
Combined install base
390 across 10 plugins

Alerts (0)

No open alerts.

Show 3 resolved alerts
Critical code_scan_delta Speedy Go Resolved · known_audit34_speedygo_continuation 1d ago
Slugspeedy-go
Previous version2.1.1
Current version2.1.3
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/api-key-api.php304L296: $resbody = wp_remote_retrieve_body($response); → L304: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)high
New finding count1
View raw JSON
{
    "slug": "speedy-go",
    "previous_version": "2.1.1",
    "current_version": "2.1.3",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/api-key-api.php",
            "line": 304,
            "snippet": "L296: $resbody = wp_remote_retrieve_body($response);  \u2192  L304: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}
Critical code_pattern Speedy Go Resolved · fp_safe_unserialize_allowed_classes_false 26d ago
Slugspeedy-go
Patternunserialize_after_remote_call
Kindbuiltin
Version2.1.1
Hit count1
First hit
File
includes/api-key-api.php
Line
298
Snippet
L290: $resbody = wp_remote_retrieve_body($response); → L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "speedy-go",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.1.1",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/api-key-api.php",
        "line": 298,
        "snippet": "L290: $resbody = wp_remote_retrieve_body($response);  \u2192  L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
Critical code_scan_delta Speedy Go Resolved · fp_safe_unserialize_allowed_classes_false 27d ago
Slugspeedy-go
Previous version2.1.0
Current version2.1.1
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/api-key-api.php298L290: $resbody = wp_remote_retrieve_body($response); → L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)high
New finding count1
View raw JSON
{
    "slug": "speedy-go",
    "previous_version": "2.1.0",
    "current_version": "2.1.1",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/api-key-api.php",
            "line": 298,
            "snippet": "L290: $resbody = wp_remote_retrieve_body($response);  \u2192  L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

Plugins authored (10)

Plugin Version Installs Last updated Status
Slug Search and Admin Columns ·slug-search-and-admin-columns 3.0.0 100 24d ago Active
WYSIWYG Character Limit for ACF ·wysiwyg-character-limit-for-acf 5.0.0 100 24d ago Active
Speedy Go ·speedy-go 2.1.3 50 6d ago Active
Code and Core Remove Empty P Tags ·code-and-core-remove-empty-p-tags 2.1.1 40 24d ago Active
Codeandcore User Registration for CF7 ·codeandcore-user-registration-cf7 2.0.0 40 24d ago Active
Image Preview for ACF Field ·image-preview-for-acf-field 2.0.0 40 24d ago Active
Code and Core Repeater Fields for Contact Form 7 ·code-and-core-repeater-fields-for-contact-form-7 2.0.0 10 24d ago Active
Cross Site Copy Field for ACF ·cross-site-copy-field-for-acf 1.2.1 10 1mo ago Active
One Click Block For Elementor ·one-click-block-for-elementor 1.0.0 11mo ago Active
Admin Login Guard & Branding ·admin-login-guard-branding 2.0.0 24d ago Active

SVN commit access (6)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
WYSIWYG Character Limit for ACF codeandcore 100 17 1y ago 24d ago Active
Speedy Go codeandcore 50 13 8mo ago 8d ago Active
Image Preview for ACF Field codeandcore 40 11 1y ago 24d ago Active
Codeandcore User Registration for CF7 codeandcore 40 8 1y ago 24d ago Active
Code and Core Remove Empty P Tags codeandcore 40 8 7mo ago 24d ago Active
Slug Search and Admin Columns codeandcore 100 7 6mo ago 24d ago Active