WP Beacon

Thomas Geiger

@duracelltomi · wordpress.org profile ↗
Member since
2010-06-25
Location
Budapest, Hungary
Employer
JabJab Online Marketing
Job title
SEM expert
Authored
1
SVN commit access
1
Readme contributor
0
Combined install base
700k+ across 1 plugins

Alerts (0)

No open alerts.

Show 7 resolved alerts
Critical code_pattern GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Resolved · false_positive_legit_ip_use 1d ago
Slugduracelltomi-google-tag-manager
Patternhardcoded_ip_url
Kindbuiltin
Version1.22.3
Hit count38
First hit
File
integration/whichbrowser/data/profiles.php
Line
647
Snippet
'http://112.74.195.169/upload/xmlfiles/STUDIO_X8_HD.XML' => [ 'BLU', 'Studio X8 HD', 'Android', DeviceType::MOBILE ],
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "duracelltomi-google-tag-manager",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "1.22.3",
    "hit_count": 38,
    "first_hit": {
        "file": "integration/whichbrowser/data/profiles.php",
        "line": 647,
        "snippet": "'http://112.74.195.169/upload/xmlfiles/STUDIO_X8_HD.XML'                                              => [ 'BLU', 'Studio X8 HD', 'Android', DeviceType::MOBILE ],"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
Critical code_scan_delta GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Resolved · false_positive_cdn_known_good 2d ago
Slugduracelltomi-google-tag-manager
Previous version1.22.3
Current version1.22.3
New findings
PatternKindFileLineSnippetConfidence
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php647'http://112.74.195.169/upload/xmlfiles/STUDIO_X8_HD.XML' => [ 'BLU', 'Studio X8 HD', 'Android', DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php699'http://221.176.65.117/uaprof/CMDC_M601.xml' => [ 'China Mobile', 'M601', 'Android', DeviceType::TABLET ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php701'http://221.176.65.117/uaprof/CMCC-M812.xml' => [ 'China Mobile Device', 'and M812', 'Android', DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php702'http://221.176.65.117/uaprof/M821.xml' => [ 'China Mobile Device', 'and M821', 'Android', DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php703'http://221.176.65.117/uaprof/M823.xml' => [ 'China Mobile Device', 'and M823', 'Android', DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php722'http://122.200.68.229/docs/mini3ix.xml' => [ 'Dell', 'Mini 3ix', 'Android', DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php754'http://211.42.201.70/ua_profile/FLY-2040i.xml' => [ 'Fly', '2040', null, DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php755'http://211.42.201.70/ua_profile/FLY-2040L.xml' => [ 'Fly', '2040', null, DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php758'http://211.42.201.70/ua_profile/Fly-E300.xml' => [ 'Fly', 'E300', null, DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php814'http://211.42.201.70/ua_profile/Fly-LX610.xml' => [ 'Fly', 'LX610', null, DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php817'http://211.42.201.70/ua_profile/FLY-MX200i.xml' => [ 'Fly', 'MX200', null, DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php818'http://211.42.201.70/ua_profile/FLY-MX230.xml' => [ 'Fly', 'MX230', null, DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php819'http://211.42.201.70/ua_profile/FLY-MX300.xml' => [ 'Fly', 'MX300', null, DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php820'http://211.42.201.70/ua_profile/FLY-MX330.xml' => [ 'Fly', 'MX330', null, DeviceType::MOBILE ],high
hardcoded_ip_urlbuiltinintegration/whichbrowser/data/profiles.php821'http://211.42.201.70/ua_profile/FLY-SL300m.xml' => [ 'Fly', 'SL300', null, DeviceType::MOBILE ],high
New finding count38
View raw JSON
{
    "slug": "duracelltomi-google-tag-manager",
    "previous_version": "1.22.3",
    "current_version": "1.22.3",
    "new_findings": [
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 647,
            "snippet": "'http://112.74.195.169/upload/xmlfiles/STUDIO_X8_HD.XML'                                              => [ 'BLU', 'Studio X8 HD', 'Android', DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 699,
            "snippet": "'http://221.176.65.117/uaprof/CMDC_M601.xml'                                                          => [ 'China Mobile', 'M601', 'Android', DeviceType::TABLET ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 701,
            "snippet": "'http://221.176.65.117/uaprof/CMCC-M812.xml'                                                          => [ 'China Mobile Device', 'and M812', 'Android', DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 702,
            "snippet": "'http://221.176.65.117/uaprof/M821.xml'                                                               => [ 'China Mobile Device', 'and M821', 'Android', DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 703,
            "snippet": "'http://221.176.65.117/uaprof/M823.xml'                                                               => [ 'China Mobile Device', 'and M823', 'Android', DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 722,
            "snippet": "'http://122.200.68.229/docs/mini3ix.xml'                                                              => [ 'Dell', 'Mini 3ix', 'Android', DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 754,
            "snippet": "'http://211.42.201.70/ua_profile/FLY-2040i.xml'                                                       => [ 'Fly', '2040', null, DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 755,
            "snippet": "'http://211.42.201.70/ua_profile/FLY-2040L.xml'                                                       => [ 'Fly', '2040', null, DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 758,
            "snippet": "'http://211.42.201.70/ua_profile/Fly-E300.xml'                                                        => [ 'Fly', 'E300', null, DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 814,
            "snippet": "'http://211.42.201.70/ua_profile/Fly-LX610.xml'                                                       => [ 'Fly', 'LX610', null, DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 817,
            "snippet": "'http://211.42.201.70/ua_profile/FLY-MX200i.xml'                                                      => [ 'Fly', 'MX200', null, DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 818,
            "snippet": "'http://211.42.201.70/ua_profile/FLY-MX230.xml'                                                       => [ 'Fly', 'MX230', null, DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 819,
            "snippet": "'http://211.42.201.70/ua_profile/FLY-MX300.xml'                                                       => [ 'Fly', 'MX300', null, DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 820,
            "snippet": "'http://211.42.201.70/ua_profile/FLY-MX330.xml'                                                       => [ 'Fly', 'MX330', null, DeviceType::MOBILE ],",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "integration/whichbrowser/data/profiles.php",
            "line": 821,
            "snippet": "'http://211.42.201.70/ua_profile/FLY-SL300m.xml'                                                      => [ 'Fly', 'SL300', null, DeviceType::MOBILE ],",
            "confidence": "high"
        }
    ],
    "new_finding_count": 38
}
Critical domain_younger_than_plugin GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Resolved · no_longer_matches 8d ago
Slugduracelltomi-google-tag-manager
Domain51coolpad.com
Domain sourcec2_http_call
Domain registered at2025-04-08
Plugin earliest commit2013-09-22 17:52:53
Plugin latest release2025-12-15 14:45:45
Gap days4,215
Domain age at release251
Active installs700,000
View raw JSON
{
    "slug": "duracelltomi-google-tag-manager",
    "domain": "51coolpad.com",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2025-04-08",
    "plugin_earliest_commit": "2013-09-22 17:52:53",
    "plugin_latest_release": "2025-12-15 14:45:45",
    "gap_days": 4215,
    "domain_age_at_release": 251,
    "active_installs": 700000
}
Critical domain_younger_than_plugin GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Resolved · no_longer_matches 8d ago
Slugduracelltomi-google-tag-manager
Domainmuseui.com
Domain sourcec2_http_call
Domain registered at2024-06-13
Plugin earliest commit2013-09-22 17:52:53
Plugin latest release2025-12-15 14:45:45
Gap days3,916
Domain age at release550
Active installs700,000
View raw JSON
{
    "slug": "duracelltomi-google-tag-manager",
    "domain": "museui.com",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2024-06-13",
    "plugin_earliest_commit": "2013-09-22 17:52:53",
    "plugin_latest_release": "2025-12-15 14:45:45",
    "gap_days": 3916,
    "domain_age_at_release": 550,
    "active_installs": 700000
}
Critical domain_younger_than_plugin GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Resolved · no_longer_matches 8d ago
Slugduracelltomi-google-tag-manager
Domainn-keitai.com
Domain sourcec2_http_call
Domain registered at2024-02-04
Plugin earliest commit2013-09-22 17:52:53
Plugin latest release2025-12-15 14:45:45
Gap days3,786
Domain age at release680
Active installs700,000
View raw JSON
{
    "slug": "duracelltomi-google-tag-manager",
    "domain": "n-keitai.com",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2024-02-04",
    "plugin_earliest_commit": "2013-09-22 17:52:53",
    "plugin_latest_release": "2025-12-15 14:45:45",
    "gap_days": 3786,
    "domain_age_at_release": 680,
    "active_installs": 700000
}
Critical domain_younger_than_plugin GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Resolved · no_longer_matches 8d ago
Slugduracelltomi-google-tag-manager
Domainpanasonicbox.com
Domain sourcec2_http_call
Domain registered at2025-09-29
Plugin earliest commit2013-09-22 17:52:53
Plugin latest release2025-12-15 14:45:45
Gap days4,389
Domain age at release77
Active installs700,000
View raw JSON
{
    "slug": "duracelltomi-google-tag-manager",
    "domain": "panasonicbox.com",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2025-09-29",
    "plugin_earliest_commit": "2013-09-22 17:52:53",
    "plugin_latest_release": "2025-12-15 14:45:45",
    "gap_days": 4389,
    "domain_age_at_release": 77,
    "active_installs": 700000
}
High domain_younger_than_plugin GTM4WP – A Google Tag Manager (GTM) plugin for WordPress Resolved · no_longer_matches 23h ago
Slugduracelltomi-google-tag-manager
Domainbluhelp.com
Domain sourcec2_http_call
Domain registered at2025-08-10
Plugin earliest commit2013-09-22 17:52:53
Plugin latest release2025-12-15 14:45:45
Gap days4,339
Domain age at release127
Active installs700,000
View raw JSON
{
    "slug": "duracelltomi-google-tag-manager",
    "domain": "bluhelp.com",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2025-08-10",
    "plugin_earliest_commit": "2013-09-22 17:52:53",
    "plugin_latest_release": "2025-12-15 14:45:45",
    "gap_days": 4339,
    "domain_age_at_release": 127,
    "active_installs": 700000
}

Plugins authored (1)

Plugin Version Installs Last updated Status
GTM4WP – A Google Tag Manager (GTM) plugin for WordPress ·duracelltomi-google-tag-manager 1.22.3 700k+ 4mo ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
GTM4WP – A Google Tag Manager (GTM) plugin for WordPress duracelltomi 700k+ 200 12y ago 4mo ago Active