WP Beacon

marcodedo

@marcodedo · wordpress.org profile ↗
Member since
2010-08-23
Location
Southern Italy
Employer
Job title
Authored
5 (1 closed)
SVN commit access
3 (1 closed)
Readme contributor
1
Combined install base
2k+ across 6 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern WP Restaurant Price List Resolved · metabox_library_legacy_updater_fp 1mo ago
Slugwp-restaurant-price-list
Patternunserialize_after_remote_call
Kindbuiltin
Version1.4.1
Hit count1
First hit
File
assets/meta-box/inc/update/checker.php
Line
204
Snippet
L196: $request = wp_remote_post( → L204: return $response ? @unserialize( $response ) : false;
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "wp-restaurant-price-list",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.4.1",
    "hit_count": 1,
    "first_hit": {
        "file": "assets/meta-box/inc/update/checker.php",
        "line": 204,
        "snippet": "L196: $request = wp_remote_post(  \u2192  L204: return $response ? @unserialize( $response ) : false;"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Plugins authored (5)

Plugin Version Installs Last updated Status
Disclaimer Popup ·disclaimer-popup 1.1.3 1k+ 1y ago Active
WP Restaurant Price List ·wp-restaurant-price-list 1.4.1 500 2y ago Active
Custom Credit Card Icons for Easy Digital Downloads ·edd-custom-credit-card-icons 1.0.0 10 3y ago Active
Bulk Remove Users ·bulk-remove-users 1.0 10 6y ago Active
Live Chat for Fanpage ·live-chat-facebook-fanpage 3.1.1 Closed

SVN commit access (3)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Live Chat for Fanpage marcodedo 44 9y ago 4y ago Closed
WP Restaurant Price List marcodedo 500 36 6y ago 2y ago Active
Disclaimer Popup marcodedo 1k+ 24 5y ago 1y ago Active

Contributor on other plugins (1)

Plugins where this account is listed in the readme contributors (distinct from SVN commit access).

Plugin Primary author Version Installs
Popup Coupon Generator for WooCommerce themeinthebox 1.3.0