WP Beacon
Critical code_pattern
Email OTP Authenticator – Login, Register, 2FA & Session Lock Resolved · commented_out_unserialize_lowercase_wpautoupdate_r
1mo ago
| Slug | email-otp-authenticator |
|---|---|
| Pattern | unserialize_after_remote_call |
| Kind | builtin |
| Version | 6.4.1 |
| Hit count | 4 |
| First hit |
|
| Explanation | a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised. |
View raw JSON
{
"slug": "email-otp-authenticator",
"pattern": "unserialize_after_remote_call",
"kind": "builtin",
"version": "6.4.1",
"hit_count": 4,
"first_hit": {
"file": "lib_old/wp_autoupdate.php",
"line": 259,
"snippet": "L254: $request = wp_remote_post($this->update_path, $params ); \u2192 L259: //return @unserialize( $request['body'] );"
},
"explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}