WP Beacon

NextScripts

@nextscripts · wordpress.org profile ↗
Member since
2012-03-01
Location
NJ
Employer
NextScripts
Job title
Authored
1
SVN commit access
1
Readme contributor
0
Combined install base
30k+ across 1 plugins

Alerts (0)

No open alerts.

Show 5 resolved alerts
Critical code_pattern NextScripts: Social Networks Auto-Poster Resolved · false_positive_legit_ip_use 22d ago
Slugsocial-networks-auto-poster-facebook-twitter-g
Patternhardcoded_ip_url
Kindbuiltin
Version4.4.7
Hit count1
First hit
File
inc/nxs_class_snap.php
Line
105
Snippet
nxs_cURLTest("http://45.79.4.45/", "HTTPS to NXSA", "NXS");
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "4.4.7",
    "hit_count": 1,
    "first_hit": {
        "file": "inc/nxs_class_snap.php",
        "line": 105,
        "snippet": "nxs_cURLTest(\"http://45.79.4.45/\", \"HTTPS to NXSA\", \"NXS\");"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
Critical code_scan_delta NextScripts: Social Networks Auto-Poster Resolved · false_positive_cdn_known_good 22d ago
Slugsocial-networks-auto-poster-facebook-twitter-g
Previous version4.4.7
Current version4.4.7
New findings
PatternKindFileLineSnippetConfidence
hardcoded_ip_urlbuiltininc/nxs_class_snap.php105nxs_cURLTest("http://45.79.4.45/", "HTTPS to NXSA", "NXS");high
New finding count1
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "previous_version": "4.4.7",
    "current_version": "4.4.7",
    "new_findings": [
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "inc/nxs_class_snap.php",
            "line": 105,
            "snippet": "nxs_cURLTest(\"http://45.79.4.45/\", \"HTTPS to NXSA\", \"NXS\");",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}
Medium code_scan_match NextScripts: Social Networks Auto-Poster Resolved · code_scan_fp_class_genre_encoding 17d ago
Slugsocial-networks-auto-poster-facebook-twitter-g
Finding count14
Findings
PatternKindFileLineSnippetConfidence
createfuncbuiltinnxs_functions.php424if (!function_exists('nxs_html_to_utf8')){ function nxs_html_to_utf8X ($data){ var_dump($data); return preg_replace_callback("/\\&\\#([0-9]{3,10})\\;/", create_function ('$matches', ' var_dump($matchemedium
createfuncbuiltininc/nxs_functions_adv.php569} rename($tmpX, $tmpX.='.'.$imgType); register_shutdown_function(create_function('', "@unlink('{$tmpX}');")); file_put_contents($tmpX, $imgData);medium
gzinflatebuiltininc/nxs-http.php229if ( false !== ( $decompressed = @gzinflate( $compressed ) ) ) return $decompressed;medium
gzinflatebuiltininc/nxs-http.php240$decompressed = @gzinflate( substr($gzData, $i, -8) ); if ( false !== $decompressed ) return $decompressed;medium
gzinflatebuiltininc/nxs-http.php242$decompressed = @gzinflate( substr($gzData, 2) ); if ( false !== $decompressed ) return $decompressed;medium
base64_decodebuiltininc-cl/wl.php363<?php if ($options['wlBoardsList']!=''){ $gWLBoards = $options['wlBoardsList']; if ( base64_encode(base64_decode($gWLBoards)) === $gWLBoards) $gWLBoards = base64_decode($gWLBoards);medium
base64_decodebuiltininc-cl/wl.php466<?php if (!empty($ntOpt['wlBoardsList'])){ $gWLBoards = $ntOpt['wlBoardsList']; if ( base64_encode(base64_decode($gWLBoards)) === $gWLBoards) $gWLBoards = base64_decode($gWLBoards);medium
createfuncbuiltininc-cl/ap.api.php40rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');"));medium
createfuncbuiltininc-cl/vk.api.php28} rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');")); file_put_contents($tmp, $imgData);medium
createfuncbuiltininc-cl/st.api.php82rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');"));medium
createfuncbuiltininc-cl/fl.api.php40rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');"));medium
base64_decodebuiltininc-cl/apis/xmlrpc-client.php298$value = base64_decode($this->_currentTagContents);medium
base64_decodebuiltininc-cl/apis/OAuth.php200$decoded_sig = base64_decode($signature);medium
createfuncbuiltininc-cl/fp.api.php46rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');"));medium
Resolved shad3aa0472968d6fb4213c920687267aa386b90832
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "finding_count": 14,
    "findings": [
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "nxs_functions.php",
            "line": 424,
            "snippet": "if (!function_exists('nxs_html_to_utf8')){ function nxs_html_to_utf8X ($data){ var_dump($data); return preg_replace_callback(\"/\\\\&\\\\#([0-9]{3,10})\\\\;/\", create_function ('$matches', ' var_dump($matche",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc/nxs_functions_adv.php",
            "line": 569,
            "snippet": "} rename($tmpX, $tmpX.='.'.$imgType);  register_shutdown_function(create_function('', \"@unlink('{$tmpX}');\")); file_put_contents($tmpX, $imgData);",
            "confidence": "medium"
        },
        {
            "pattern": "gzinflate",
            "kind": "builtin",
            "file": "inc/nxs-http.php",
            "line": 229,
            "snippet": "if ( false !== ( $decompressed = @gzinflate( $compressed ) ) ) return $decompressed;",
            "confidence": "medium"
        },
        {
            "pattern": "gzinflate",
            "kind": "builtin",
            "file": "inc/nxs-http.php",
            "line": 240,
            "snippet": "$decompressed = @gzinflate( substr($gzData, $i, -8) ); if ( false !== $decompressed ) return $decompressed;",
            "confidence": "medium"
        },
        {
            "pattern": "gzinflate",
            "kind": "builtin",
            "file": "inc/nxs-http.php",
            "line": 242,
            "snippet": "$decompressed = @gzinflate( substr($gzData, 2) ); if ( false !== $decompressed ) return $decompressed;",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "inc-cl/wl.php",
            "line": 363,
            "snippet": "<?php if ($options['wlBoardsList']!=''){ $gWLBoards = $options['wlBoardsList']; if ( base64_encode(base64_decode($gWLBoards)) === $gWLBoards) $gWLBoards = base64_decode($gWLBoards);",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "inc-cl/wl.php",
            "line": 466,
            "snippet": "<?php if (!empty($ntOpt['wlBoardsList'])){ $gWLBoards = $ntOpt['wlBoardsList']; if ( base64_encode(base64_decode($gWLBoards)) === $gWLBoards) $gWLBoards = base64_decode($gWLBoards);",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/ap.api.php",
            "line": 40,
            "snippet": "rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\"));",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/vk.api.php",
            "line": 28,
            "snippet": "} rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\")); file_put_contents($tmp, $imgData);",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/st.api.php",
            "line": 82,
            "snippet": "rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\"));",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/fl.api.php",
            "line": 40,
            "snippet": "rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\"));",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "inc-cl/apis/xmlrpc-client.php",
            "line": 298,
            "snippet": "$value = base64_decode($this->_currentTagContents);",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "inc-cl/apis/OAuth.php",
            "line": 200,
            "snippet": "$decoded_sig = base64_decode($signature);",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/fp.api.php",
            "line": 46,
            "snippet": "rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\"));",
            "confidence": "medium"
        }
    ],
    "resolved_sha": "d3aa0472968d6fb4213c920687267aa386b90832"
}
Medium domain_younger_than_plugin NextScripts: Social Networks Auto-Poster Resolved · no_longer_matches 28d ago
Slugsocial-networks-auto-poster-facebook-twitter-g
Domainnextscripts.net
Domain sourcec2_http_call
Domain registered at2021-06-23
Plugin earliest commit2012-03-02 11:09:36
Plugin latest release2017-10-16 23:49:28
Gap days3,399
Domain age at release-1,345
Active installs30,000
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "domain": "nextscripts.net",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2021-06-23",
    "plugin_earliest_commit": "2012-03-02 11:09:36",
    "plugin_latest_release": "2017-10-16 23:49:28",
    "gap_days": 3399,
    "domain_age_at_release": -1345,
    "active_installs": 30000
}
Medium domain_younger_than_plugin NextScripts: Social Networks Auto-Poster Resolved · no_longer_matches 28d ago
Slugsocial-networks-auto-poster-facebook-twitter-g
Domainu.to
Domain sourcec2_http_call
Domain registered at2021-11-18
Plugin earliest commit2012-03-02 11:09:36
Plugin latest release2017-10-16 23:49:28
Gap days3,547
Domain age at release-1,493
Active installs30,000
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "domain": "u.to",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2021-11-18",
    "plugin_earliest_commit": "2012-03-02 11:09:36",
    "plugin_latest_release": "2017-10-16 23:49:28",
    "gap_days": 3547,
    "domain_age_at_release": -1493,
    "active_installs": 30000
}

Plugins authored (1)

Plugin Version Installs Last updated Status
NextScripts: Social Networks Auto-Poster ·social-networks-auto-poster-facebook-twitter-g 4.4.7 30k+ 2mo ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
NextScripts: Social Networks Auto-Poster nextscripts 30k+ 200 14y ago 2mo ago Active