WP Beacon

Vektor,Inc.

@vektor-inc · wordpress.org profile ↗
Member since
2015-01-07
Location
Employer
Job title
Authored
8
SVN commit access
7
Readme contributor
3
Combined install base
344k+ across 11 plugins

Alerts (0)

No open alerts.

Show 2 resolved alerts
Critical code_scan_match VK Blocks Resolved · code_scan_fp_class_vendor_self_hosted_pro_updater 17d ago
Slugvk-blocks
Finding count1
Findings
PatternKindFileLineSnippetConfidenceDetails
puc_update_hijackbuiltinvk-blocks.php204$vk_blocks_update_checker = YahnisElsts\PluginUpdateChecker\v5\PucFactory::buildUpdateChecker(high
Url
https://license.vektor-inc.co.jp/check/?action=get_metadata&slug=vk-blocks-pro
Url host
license.vektor-inc.co.jp
Slug arg
vk-blocks-pro
Resolved sha8b47c00984f544dab136a3e9cb7ef280c8bf888d
View raw JSON
{
    "slug": "vk-blocks",
    "finding_count": 1,
    "findings": [
        {
            "pattern": "puc_update_hijack",
            "kind": "builtin",
            "file": "vk-blocks.php",
            "line": 204,
            "snippet": "$vk_blocks_update_checker = YahnisElsts\\PluginUpdateChecker\\v5\\PucFactory::buildUpdateChecker(",
            "confidence": "high",
            "details": {
                "url": "https://license.vektor-inc.co.jp/check/?action=get_metadata&slug=vk-blocks-pro",
                "url_host": "license.vektor-inc.co.jp",
                "slug_arg": "vk-blocks-pro"
            }
        }
    ],
    "resolved_sha": "8b47c00984f544dab136a3e9cb7ef280c8bf888d"
}
Low code_pattern VK Blocks Resolved · benign_same_author_domain 25d ago
Slugvk-blocks
Patternpuc_update_hijack
Kindbuiltin
Version1.118.2
Hit count1
First hit
File
vk-blocks.php
Line
202
Snippet
$vk_blocks_update_checker = YahnisElsts\PluginUpdateChecker\v5\PucFactory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapepremium_sibling
Urlhttps://license.vektor-inc.co.jp/check/?action=get_metadata&slug=vk-blocks-pro
Url hostlicense.vektor-inc.co.jp
Slug argvk-blocks-pro
View raw JSON
{
    "slug": "vk-blocks",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.118.2",
    "hit_count": 1,
    "first_hit": {
        "file": "vk-blocks.php",
        "line": 202,
        "snippet": "$vk_blocks_update_checker = YahnisElsts\\PluginUpdateChecker\\v5\\PucFactory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "premium_sibling",
    "url": "https://license.vektor-inc.co.jp/check/?action=get_metadata&slug=vk-blocks-pro",
    "url_host": "license.vektor-inc.co.jp",
    "slug_arg": "vk-blocks-pro"
}

Plugins authored (8)

Plugin Version Installs Last updated Status
VK Block Patterns ·vk-block-patterns 1.35.2 100k+ 1mo ago Active
VK Blocks ·vk-blocks 1.118.7 100k+ 21d ago Active
VK Link Target Controller ·vk-link-target-controller 1.10.1 30k+ 29d ago Active
VK Filter Search ·vk-filter-search 2.20.2 6k+ 1mo ago Active
VK Dynamic If Block ·vk-dynamic-if-block 1.6.0 3k+ 2mo ago Active
VK Google Job Posting Manager ·vk-google-job-posting-manager 1.3.1 2k+ 24d ago Active
VK Simple Copy Block ·vk-simple-copy-block 0.1.7 300 1mo ago Active
VK Plugin Beta Tester ·vk-plugin-beta-tester 0.2.9 10 4y ago Active

SVN commit access (7)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
VK Filter Search vektor-inc 6k+ 153 5y ago 1mo ago Active
VK Block Patterns vektor-inc 100k+ 150 5y ago 1mo ago Active
VK Link Target Controller vektor-inc 30k+ 56 11y ago 29d ago Active
VK Dynamic If Block vektor-inc 3k+ 50 3y ago 2mo ago Active
VK Simple Copy Block vektor-inc 300 11 2y ago 1mo ago Active
VK Blocks vektor-inc 100k+ 1 7y ago 21d ago Active
VK Google Job Posting Manager vektor-inc 2k+ 1 7y ago 24d ago Active

Contributor on other plugins (3)

Plugins where this account is listed in the readme contributors (distinct from SVN commit access).

Plugin Primary author Version Installs
VK All in One Expansion Unit kurudrive 9.115.0 100k+
Lightning Advanced Unit kurudrive 3.4.1 3k+
VK Front-end Grid Editor kurudrive 1.0.9