WP Beacon

Alexandre Froger

@frogerme · wordpress.org profile ↗
Member since
2018-04-21
Location
Employer
Job title
Authored
13 (1 closed)
SVN commit access
9
Readme contributor
0
Combined install base
7k+ across 13 plugins

Alerts (0)

No open alerts.

Show 2 resolved alerts
Critical code_pattern Payment gateway for WooCommerce – Woo Alipay Resolved · vendored_alipay_lotusphp_sdk_lib_fp 1mo ago
Slugwoo-alipay
Patterndirect_mysqli_connect
Kindbuiltin
Version1.1.3
Hit count1
First hit
File
lib/alipay/lotusphp_runtime/DB/Adapter/ConnectionAdapter/DbConnectionAdapterMysqli.php
Line
6
Snippet
return new mysqli($connConf["host"], $connConf["username"], $connConf["password"], $connConf["dbname"], $connConf["port"]);
Explanationplugin instantiates `new mysqli($var['host'], ...)` — a direct MySQL connection bypassing `$wpdb`. Legitimate WordPress plugins always go through `$wpdb` (which already has the connection); a raw `mysqli` connect using parsed wp-config credentials is the credential-harvesting backdoor shape.
View raw JSON
{
    "slug": "woo-alipay",
    "pattern": "direct_mysqli_connect",
    "kind": "builtin",
    "version": "1.1.3",
    "hit_count": 1,
    "first_hit": {
        "file": "lib/alipay/lotusphp_runtime/DB/Adapter/ConnectionAdapter/DbConnectionAdapterMysqli.php",
        "line": 6,
        "snippet": "return new mysqli($connConf[\"host\"], $connConf[\"username\"], $connConf[\"password\"], $connConf[\"dbname\"], $connConf[\"port\"]);"
    },
    "explanation": "plugin instantiates `new mysqli($var['host'], ...)` \u2014 a direct MySQL connection bypassing `$wpdb`. Legitimate WordPress plugins always go through `$wpdb` (which already has the connection); a raw `mysqli` connect using parsed wp-config credentials is the credential-harvesting backdoor shape."
}
Critical code_pattern OTP Authenticator Resolved · vendored_alibabacloud_metadata_service_ip_fp 1mo ago
Slugotp-authenticator
Patternhardcoded_ip_url
Kindbuiltin
Version1.1
Hit count1
First hit
File
libraries/alibaba/alibabacloud/client/src/Credentials/Providers/EcsRamRoleProvider.php
Line
36
Snippet
private $uri = 'http://100.100.100.200/latest/meta-data/ram/security-credentials/';
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "otp-authenticator",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "1.1",
    "hit_count": 1,
    "first_hit": {
        "file": "libraries/alibaba/alibabacloud/client/src/Credentials/Providers/EcsRamRoleProvider.php",
        "line": 36,
        "snippet": "private $uri = 'http://100.100.100.200/latest/meta-data/ram/security-credentials/';"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Plugins authored (13)

Plugin Version Installs Last updated Status
WP Remote Users Sync ·wp-remote-users-sync 2.1.5 6k+ 7mo ago Active
WP Weixin ·wp-weixin 1.3.18 400 1y ago Active
Regen. Thumbs ·regen-thumbs 1.1 400 7y ago Active
Payment gateway for WooCommerce – Woo WeChatPay ·woo-wechatpay 1.3.16 80 2y ago Active
OTP Authenticator ·otp-authenticator 1.1 50 4y ago Active
WP Unpublish ·wp-unpublish 1.1.1 40 6y ago Active
Payment gateway for WooCommerce – Woo Alipay ·woo-alipay 1.1.3 40 6y ago Active
Private Media ·private-media 1.2 40 7y ago Active
UpdatePulse Server ·updatepulse-server 1.0.12 20 1mo ago Active
WP Weixin Pay ·wp-weixin-pay 1.3.15 10 6y ago Active
WP Weixin Broadcast ·wp-weixin-broadcast 1.3.15 10 6y ago Active
Unify WPML Comments ·unify-wpml-comments 1.1 10 7y ago Active
WP Plugin Update Server ·wp-plugin-update-server 1.4.13 Closed

SVN commit access (9)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
WP Remote Users Sync frogerme 6k+ 59 6y ago 7mo ago Active
WP Weixin frogerme 400 47 8y ago 1y ago Active
Payment gateway for WooCommerce – Woo WeChatPay frogerme 80 25 7y ago 2y ago Active
WP Unpublish frogerme 40 13 8y ago 6y ago Active
UpdatePulse Server frogerme 20 12 1y ago 1mo ago Active
Private Media frogerme 40 6 7y ago 7y ago Active
Payment gateway for WooCommerce – Woo Alipay frogerme 40 5 6y ago 6y ago Active
Regen. Thumbs frogerme 400 4 8y ago 7y ago Active
OTP Authenticator frogerme 50 3 5y ago 4y ago Active