keywordrush

@keywordrush · wordpress.org profile ↗

Member since: 2015-08-17
Location: —
Employer: —
Job title: —
Authored: 1
SVN commit access: 1
Readme contributor: 0
Combined install base: 10k+ across 1 plugins

Alerts (0)

No open alerts.

Show 4 resolved alerts

Critical code_scan_match Content Egg – Affiliate Product Importer & Price Comparison Resolved · already_audit_15 17d ago

Slug content-egg

Finding count 3

Findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`application/libs/RestClient.php`	240	L224: $error_mess .= ' Server replay: ' . \wp_remote_retrieve_body($response); → L240: $res = @unserialize($response);	`high`
`hardcoded_ip_url`	`builtin`	`application/libs/admitad/AdmitadProducts.php`	22	`const API_URI_BASE = 'http://185.58.206.88/wp';`	`high`
http://185.58.206.88/wp	`ioc:url`	`application/libs/admitad/AdmitadProducts.php`	22	`const API_URI_BASE = 'http://185.58.206.88/wp';`	`medium`

Resolved sha 080032542a37c0a08bd49e58d34ba62518d465c6

View raw JSON

{
    "slug": "content-egg",
    "finding_count": 3,
    "findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "application/libs/RestClient.php",
            "line": 240,
            "snippet": "L224: $error_mess .= ' Server replay: ' . \\wp_remote_retrieve_body($response);  \u2192  L240: $res = @unserialize($response);",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "application/libs/admitad/AdmitadProducts.php",
            "line": 22,
            "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';",
            "confidence": "high"
        },
        {
            "pattern": "http://185.58.206.88/wp",
            "kind": "ioc:url",
            "file": "application/libs/admitad/AdmitadProducts.php",
            "line": 22,
            "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';",
            "confidence": "medium"
        }
    ],
    "resolved_sha": "080032542a37c0a08bd49e58d34ba62518d465c6"
}

Critical code_pattern Content Egg – Affiliate Product Importer & Price Comparison Resolved · audit:benign 24d ago

Slug	content-egg
Pattern	`hardcoded_ip_url`
Kind	`builtin`
Version	`11.0.0`
Hit count	1
First hit	File `application/libs/admitad/AdmitadProducts.php` Line 22 Snippet `const API_URI_BASE = 'http://185.58.206.88/wp';`
Explanation	plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.

View raw JSON

{
    "slug": "content-egg",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "11.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "application/libs/admitad/AdmitadProducts.php",
        "line": 22,
        "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Critical code_pattern Content Egg – Affiliate Product Importer & Price Comparison Resolved · audit:benign 24d ago

Slug	content-egg
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`11.0.0`
Hit count	1
First hit	File `application/libs/RestClient.php` Line 240 Snippet L224: $error_mess .= ' Server replay: ' . \wp_remote_retrieve_body($response); → L240: $res = @unserialize($response);
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "content-egg",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "11.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "application/libs/RestClient.php",
        "line": 240,
        "snippet": "L224: $error_mess .= ' Server replay: ' . \\wp_remote_retrieve_body($response);  \u2192  L240: $res = @unserialize($response);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Medium code_scan_delta Content Egg – Affiliate Product Importer & Price Comparison Resolved · audit:benign 22d ago

Slug content-egg

Previous version 11.0.0

Current version 11.0.0

New findings

Pattern	Kind	File	Line	Snippet	Confidence
http://185.58.206.88/wp	`ioc:url`	`application/libs/admitad/AdmitadProducts.php`	22	`const API_URI_BASE = 'http://185.58.206.88/wp';`	`medium`

New finding count 1

View raw JSON

{
    "slug": "content-egg",
    "previous_version": "11.0.0",
    "current_version": "11.0.0",
    "new_findings": [
        {
            "pattern": "http://185.58.206.88/wp",
            "kind": "ioc:url",
            "file": "application/libs/admitad/AdmitadProducts.php",
            "line": 22,
            "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';",
            "confidence": "medium"
        }
    ],
    "new_finding_count": 1
}

Plugins authored (1)

Plugin	Version	Installs	Last updated	Status
Content Egg – Affiliate Product Importer & Price Comparison ·`content-egg`	11.0.0	10k+	28d ago	Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin	Primary author	Installs	Commits	First	Latest	Status
Content Egg – Affiliate Product Importer & Price Comparison	keywordrush	10k+	4	10y ago	28d ago	Active