WP Beacon

lusopay

@lusopay · wordpress.org profile ↗
Member since
2015-03-15
Location
Portugal
Employer
LUSOPAY Instituição de Pagamento Lda
Job title
Authored
1
SVN commit access
1
Readme contributor
0
Combined install base
400 across 1 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Multibanco / MB Way / Payshop / Cofidis Pay (by LUSOPAY) for WooCommerce Resolved · vendor_self_publishing_lusopay_payment 1mo ago
Slugmultibanco-e-ou-payshop-by-lusopay
Patternhardcoded_ip_url
Kindbuiltin
Version5.0.2
Hit count2
First hit
File
includes/class-wc-lusopay-pisp.php
Line
456
Snippet
$lusopay_url = 'http://185.15.20.221:8080/web_dev/run/PISP/' . $chave . '/' . $order_value . '/' . $currency . '/' . $description . '/' . $currentLang;
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "multibanco-e-ou-payshop-by-lusopay",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "5.0.2",
    "hit_count": 2,
    "first_hit": {
        "file": "includes/class-wc-lusopay-pisp.php",
        "line": 456,
        "snippet": "$lusopay_url = 'http://185.15.20.221:8080/web_dev/run/PISP/' . $chave . '/' . $order_value . '/' . $currency . '/' . $description . '/' . $currentLang;"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Plugins authored (1)

Plugin Version Installs Last updated Status
Multibanco / MB Way / Payshop / Cofidis Pay (by LUSOPAY) for WooCommerce ·multibanco-e-ou-payshop-by-lusopay 5.0.3 400 24d ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Multibanco / MB Way / Payshop / Cofidis Pay (by LUSOPAY) for WooCommerce lusopay 400 1 11y ago 24d ago Active