WP Beacon

Ultimate Member

@ultimatemember · wordpress.org profile ↗
Member since
2015-01-13
Location
Employer
Ultimate Member Ltd
Job title
Founder
Authored
3
SVN commit access
1
Readme contributor
5
Combined install base
230k+ across 8 plugins

Alerts (0)

No open alerts.

Show 2 resolved alerts
Critical code_pattern Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Resolved · no_longer_matches 7d ago
Slugultimate-member
Patternunserialize_after_remote_call
Kindbuiltin
Version2.11.3
Hit count7
First hit
File
includes/core/class-plugin-updater.php
Line
295
Snippet
L279: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L295: $request = ( $request ) ? maybe_unserialize( $request ) : false;
Explanationa remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak.
View raw JSON
{
    "slug": "ultimate-member",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.11.3",
    "hit_count": 7,
    "first_hit": {
        "file": "includes/core/class-plugin-updater.php",
        "line": 295,
        "snippet": "L279: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L295: $request = ( $request ) ? maybe_unserialize( $request ) : false;"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak."
}
Critical code_scan_delta Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Resolved · fp_edd_updater_library 7d ago
Slugultimate-member
Previous version2.11.3
Current version2.11.3
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php295L279: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L295: $request = ( $request ) ? maybe_unserialize( $request ) : false;high
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php331L326: wp_remote_retrieve_body( $request->$slug->get_version_check ) → L331: $request->$slug->get_version_check->banners = maybe_unserialize( $request->$slug->ghigh
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php335L326: wp_remote_retrieve_body( $request->$slug->get_version_check ) → L335: $request->$slug->get_version_check->icons = maybe_unserialize( $request->$slug->gethigh
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php453L439: $request = wp_remote_post( → L453: $request->sections = maybe_unserialize( $request->sections );high
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php460L449: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L460: $request->banners = maybe_unserialize( $request->banners );high
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php464L449: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L464: $request->icons = maybe_unserialize( $request->icons );high
unserialize_after_remote_callbuiltinincludes/admin/core/class-admin-settings.php3,094L3074: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L3094: $request = ( $request ) ? maybe_unserialize( $request ) : false;high
New finding count7
View raw JSON
{
    "slug": "ultimate-member",
    "previous_version": "2.11.3",
    "current_version": "2.11.3",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 295,
            "snippet": "L279: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L295: $request = ( $request ) ? maybe_unserialize( $request ) : false;",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 331,
            "snippet": "L326: wp_remote_retrieve_body( $request->$slug->get_version_check )  \u2192  L331: $request->$slug->get_version_check->banners = maybe_unserialize( $request->$slug->g",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 335,
            "snippet": "L326: wp_remote_retrieve_body( $request->$slug->get_version_check )  \u2192  L335: $request->$slug->get_version_check->icons = maybe_unserialize( $request->$slug->get",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 453,
            "snippet": "L439: $request = wp_remote_post(  \u2192  L453: $request->sections = maybe_unserialize( $request->sections );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 460,
            "snippet": "L449: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L460: $request->banners = maybe_unserialize( $request->banners );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 464,
            "snippet": "L449: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L464: $request->icons = maybe_unserialize( $request->icons );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/admin/core/class-admin-settings.php",
            "line": 3094,
            "snippet": "L3074: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L3094: $request = ( $request ) ? maybe_unserialize( $request ) : false;",
            "confidence": "high"
        }
    ],
    "new_finding_count": 7
}

Plugins authored (3)

Plugin Version Installs Last updated Status
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ·ultimate-member 2.11.4 200k+ 2d ago Active
JobBoardWP – Job Board Listings and Submissions ·jobboardwp 1.3.5 1k+ 1mo ago Active
ForumWP – Forum & Discussion Board ·forumwp 2.1.9 900 1mo ago Active

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimatemember 200k+ 175 11y ago 10y ago Active

Contributor on other plugins (5)

Plugins where this account is listed in the readme contributors (distinct from SVN commit access).

Plugin Primary author Version Installs
Ultimate Member – reCAPTCHA nsinelnikov 2.3.8 20k+
Ultimate Member – Terms & Conditions nsinelnikov 2.2.0 4k+
Ultimate Member – Online Users nsinelnikov 2.2.2 3k+
Ultimate Member – ForumWP forum integration nsinelnikov 2.1.9 500
Ultimate Member – JobBoardWP integration nsinelnikov 1.0.9 300