WP Beacon

keywordrush

@keywordrush · wordpress.org profile ↗
Member since
2015-08-17
Location
Employer
Job title
Authored
1
SVN commit access
1
Readme contributor
0
Combined install base
10k+ across 1 plugins

Alerts (0)

No open alerts.

Show 3 resolved alerts
Critical code_pattern Content Egg – Affiliate Product Importer & Price Comparison Resolved · audit:benign 4d ago
Slugcontent-egg
Patternhardcoded_ip_url
Kindbuiltin
Version11.0.0
Hit count1
First hit
File
application/libs/admitad/AdmitadProducts.php
Line
22
Snippet
const API_URI_BASE = 'http://185.58.206.88/wp';
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "content-egg",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "11.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "application/libs/admitad/AdmitadProducts.php",
        "line": 22,
        "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
Critical code_pattern Content Egg – Affiliate Product Importer & Price Comparison Resolved · audit:benign 4d ago
Slugcontent-egg
Patternunserialize_after_remote_call
Kindbuiltin
Version11.0.0
Hit count1
First hit
File
application/libs/RestClient.php
Line
240
Snippet
L224: $error_mess .= ' Server replay: ' . \wp_remote_retrieve_body($response); → L240: $res = @unserialize($response);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "content-egg",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "11.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "application/libs/RestClient.php",
        "line": 240,
        "snippet": "L224: $error_mess .= ' Server replay: ' . \\wp_remote_retrieve_body($response);  \u2192  L240: $res = @unserialize($response);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
Medium code_scan_delta Content Egg – Affiliate Product Importer & Price Comparison Resolved · audit:benign 2d ago
Slugcontent-egg
Previous version11.0.0
Current version11.0.0
New findings
PatternKindFileLineSnippetConfidence
http://185.58.206.88/wpioc:urlapplication/libs/admitad/AdmitadProducts.php22const API_URI_BASE = 'http://185.58.206.88/wp';medium
New finding count1
View raw JSON
{
    "slug": "content-egg",
    "previous_version": "11.0.0",
    "current_version": "11.0.0",
    "new_findings": [
        {
            "pattern": "http://185.58.206.88/wp",
            "kind": "ioc:url",
            "file": "application/libs/admitad/AdmitadProducts.php",
            "line": 22,
            "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';",
            "confidence": "medium"
        }
    ],
    "new_finding_count": 1
}

Plugins authored (1)

Plugin Version Installs Last updated Status
Content Egg – Affiliate Product Importer & Price Comparison ·content-egg 11.0.0 10k+ 8d ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Content Egg – Affiliate Product Importer & Price Comparison keywordrush 10k+ 4 10y ago 8d ago Active