WP Beacon

levelfourdevelopment

@levelfourstorefront · wordpress.org profile ↗
Member since
2012-09-06
Location
Pendleton, OR
Employer
WP EasyCart
Job title
Chief Developer
Authored
2 (1 closed)
SVN commit access
1
Readme contributor
0
Combined install base
4k+ across 2 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Shopping Cart & eCommerce Store Resolved · false_positive_legit_ip_use 2d ago
Slugwp-easycart
Patternhardcoded_ip_url
Kindbuiltin
Version5.8.14
Hit count1
First hit
File
inc/aws/Aws/data/s3/2006-03-01/endpoint-tests-1.json.php
Line
3
Snippet
return [ 'testCases' => [ [ 'documentation' => 'region is not a valid DNS-suffix', 'expect' => [ 'error' => 'Invalid region: region was not a valid DNS name.', ], 'params' => [ 'Region' => 'a b', 'Use
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "wp-easycart",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "5.8.14",
    "hit_count": 1,
    "first_hit": {
        "file": "inc/aws/Aws/data/s3/2006-03-01/endpoint-tests-1.json.php",
        "line": 3,
        "snippet": "return [ 'testCases' => [ [ 'documentation' => 'region is not a valid DNS-suffix', 'expect' => [ 'error' => 'Invalid region: region was not a valid DNS name.', ], 'params' => [ 'Region' => 'a b', 'Use"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Plugins authored (2)

Plugin Version Installs Last updated Status
Shopping Cart & eCommerce Store ·wp-easycart 5.8.14 4k+ 2mo ago Active
L4 Shopping Cart ·levelfourstorefront 8.1.17 Closed

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Shopping Cart & eCommerce Store levelfourstorefront 4k+ 500 8y ago 2mo ago Active