WP Beacon

info@welcart

@uscnanbu · wordpress.org profile ↗
Member since
2009-10-13
Location
Fukui, Japan
Employer
Welcart Inc.
Job title
Authored
4 (1 closed)
SVN commit access
1
Readme contributor
1
Combined install base
10k+ across 5 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert
Medium code_pattern Welcart e-Commerce Resolved · fp:vendor_premium_update_channel 2d ago
Slugusc-e-shop
Patternpuc_update_hijack
Kindbuiltin
Version2.11.28
Hit count1
First hit
File
includes/update_check.php
Line
194
Snippet
$$slug = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "usc-e-shop",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "2.11.28",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/update_check.php",
        "line": 194,
        "snippet": "$$slug     = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );"
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

Plugins authored (4)

Plugin Version Installs Last updated Status
Welcart e-Commerce ·usc-e-shop 2.11.28 10k+ 1mo ago Active
e-SCOTT Smart pro for WooCommerce ·woo-sonypayment 2.0.7 10 2d ago Active
Failure ·welcart 0.1.2 16y ago Active
welcart-shopping-cart ·welcart-shopping-cart Closed

SVN commit access (1)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
Welcart e-Commerce uscnanbu 10k+ 500 8y ago 1mo ago Active

Contributor on other plugins (1)

Plugins where this account is listed in the readme contributors (distinct from SVN commit access).

Plugin Primary author Version Installs
e-SCOTT Smart light for WooCommerce sonypaymentservices 2.0.7 100