Author: nintechnet – WP Beacon

Alerts (0)

No open alerts.

Show 3 resolved alerts

Critical code_pattern NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall Resolved · false_positive_legit_ip_use 2d ago

Slug	ninjafirewall
Pattern	`hardcoded_ip_url`
Kind	`builtin`
Version	`4.8.5`
Hit count	1
First hit	File `lib/help.php` Line 250 Snippet <p><strong>' . __('Block HTTP requests with an IP in the <code>HTTP_HOST</code> header', 'ninjafirewall'). '</strong><br />' . sprintf( __('This option will reject any request using an IP instead of
Explanation	plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.

View raw JSON

{
    "slug": "ninjafirewall",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "4.8.5",
    "hit_count": 1,
    "first_hit": {
        "file": "lib/help.php",
        "line": 250,
        "snippet": "<p><strong>' . __('Block HTTP requests with an IP in the <code>HTTP_HOST</code> header', 'ninjafirewall'). '</strong><br />' . sprintf( __('This option will reject any request using an IP instead of"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

Critical code_pattern NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall Resolved · false_positive_defensive_string_check 2d ago

Slug	ninjafirewall
Pattern	`serialized_admin_role`
Kind	`builtin`
Version	`4.8.5`
Hit count	1
First hit	File `lib/utils.php` Line 1,319 Snippet `if ( strpos( $value, 's:13:"administrator"') === FALSE &&`
Explanation	plugin source contains `s:13:"administrator"` — the PHP-serialized representation of the `administrator` role meta value. Used to bypass `wp_insert_user()` by writing directly to `wp_usermeta` with a hand-crafted capabilities string. Near-zero FP because legit code uses `WP_User::set_role()` instead of building the serialized form by hand.

View raw JSON

{
    "slug": "ninjafirewall",
    "pattern": "serialized_admin_role",
    "kind": "builtin",
    "version": "4.8.5",
    "hit_count": 1,
    "first_hit": {
        "file": "lib/utils.php",
        "line": 1319,
        "snippet": "if ( strpos( $value, 's:13:\"administrator\"') === FALSE &&"
    },
    "explanation": "plugin source contains `s:13:\"administrator\"` \u2014 the PHP-serialized representation of the `administrator` role meta value. Used to bypass `wp_insert_user()` by writing directly to `wp_usermeta` with a hand-crafted capabilities string. Near-zero FP because legit code uses `WP_User::set_role()` instead of building the serialized form by hand."
}

Critical code_scan_delta NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall Resolved · false_positive_cdn_known_good 2d ago

Slug ninjafirewall

Previous version 4.8.5

Current version 4.8.5

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`hardcoded_ip_url`	`builtin`	`lib/help.php`	250	<p><strong>' . __('Block HTTP requests with an IP in the <code>HTTP_HOST</code> header', 'ninjafirewall'). '</strong><br />' . sprintf( __('This option will reject any request using an IP instead of	`high`
`serialized_admin_role`	`builtin`	`lib/utils.php`	1,319	`if ( strpos( $value, 's:13:"administrator"') === FALSE &&`	`high`

New finding count 2

View raw JSON

{
    "slug": "ninjafirewall",
    "previous_version": "4.8.5",
    "current_version": "4.8.5",
    "new_findings": [
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "lib/help.php",
            "line": 250,
            "snippet": "<p><strong>' . __('Block HTTP requests with an IP in the <code>HTTP_HOST</code> header', 'ninjafirewall'). '</strong><br />' . sprintf( __('This option will reject any request using an IP instead of",
            "confidence": "high"
        },
        {
            "pattern": "serialized_admin_role",
            "kind": "builtin",
            "file": "lib/utils.php",
            "line": 1319,
            "snippet": "if ( strpos( $value, 's:13:\"administrator\"') === FALSE &&",
            "confidence": "high"
        }
    ],
    "new_finding_count": 2
}

Plugins authored (4)

Plugin	Version	Installs	Last updated	Status
NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall ·`ninjafirewall`	4.8.5	100k+	1mo ago	Active
NinjaScanner – Virus & Malware scan ·`ninjascanner`	3.3	30k+	16d ago	Active
SaferCheckout Lite – Fraud prevention for WooCommerce ·`safercheckout-lite`	1.10	10	18d ago	Active
NinjaWPass ·`ninjawpass`	1.0.5	—	—	Closed

SVN commit access (3)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin	Primary author	Installs	Commits	First	Latest	Status
NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall	nintechnet	100k+	200	10y ago	1mo ago	Active
NinjaScanner – Virus & Malware scan	nintechnet	30k+	186	8y ago	16d ago	Active
Code Profiler – WordPress Performance Profiling and Debugging Made Easy	bruandet	8k+	2	1y ago	8d ago	Active

Contributor on other plugins (1)

Plugins where this account is listed in the readme contributors (distinct from SVN commit access).

Plugin	Primary author	Version	Installs
Code Profiler – WordPress Performance Profiling and Debugging Made Easy	bruandet	1.9.2	8k+