WP Beacon

Diego

@daigo75 · wordpress.org profile ↗
Member since
2011-01-01
Location
Vienna, Austria
Employer
Aelia
Job title
Owner and omni-developer
Authored
4 (3 closed)
SVN commit access
1
Readme contributor
0
Combined install base
5k+ across 4 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Medium code_pattern EU VAT Assistant for WooCommerce Resolved · fp:vendor_premium_update_channel 1d ago
Slugwoocommerce-eu-vat-assistant
Patternpuc_update_hijack
Kindbuiltin
Version2.1.30.260413
Hit count1
First hit
File
src/embedded-framework/wc-aelia-foundation-classes-embedded/src/lib/classes/base/plugin/aelia-plugin.php
Line
142
Snippet
$update_checker = \YahnisElsts\PluginUpdateChecker\v5\PucFactory::buildUpdateChecker( // NOSONAR
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "woocommerce-eu-vat-assistant",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "2.1.30.260413",
    "hit_count": 1,
    "first_hit": {
        "file": "src/embedded-framework/wc-aelia-foundation-classes-embedded/src/lib/classes/base/plugin/aelia-plugin.php",
        "line": 142,
        "snippet": "$update_checker = \\YahnisElsts\\PluginUpdateChecker\\v5\\PucFactory::buildUpdateChecker( // NOSONAR"
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

Plugins authored (4)

Plugin Version Installs Last updated Status
EU VAT Assistant for WooCommerce ·woocommerce-eu-vat-assistant 2.1.30.260413 5k+ 2d ago Active
aelia-foundation-classes-for-woocommerce ·aelia-foundation-classes-for-woocommerce Closed
woocommerce-first-data-gateway ·woocommerce-first-data-gateway Closed
WooCommerce Skrill Gateway Plugin ·woocommerce-skrill-moneybookers-gateway 1.4.2.161207 Closed

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
EU VAT Assistant for WooCommerce daigo75 5k+ 2 11y ago 2d ago Active