wpoperations

@wpoperations · wordpress.org profile ↗

Member since: 2017-12-11
Location: —
Employer: —
Job title: —
Authored: 10 (1 closed)
SVN commit access: 6
Readme contributor: 0
Combined install base: 16k+ across 10 plugins

Alerts (0)

No open alerts.

Show 1 resolved alert

Critical code_pattern Operation Demo Importer – Demo Importer For WPoperation Themes Resolved · benign_architectural_concern 2d ago

Slug	operation-demo-importer
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`1.2.0`
Hit count	1
First hit	File `classes/importers/class-settings-importer.php` Line 44 Snippet L28: $contents = curl_exec($ch); → L44: $data = @unserialize( $raw );
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "operation-demo-importer",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.2.0",
    "hit_count": 1,
    "first_hit": {
        "file": "classes/importers/class-settings-importer.php",
        "line": 44,
        "snippet": "L28: $contents = curl_exec($ch);  \u2192  L44: $data = @unserialize( $raw );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Plugins authored (10)

Plugin	Version	Installs	Last updated	Status
SALERT – Fake Sales Notification WooCommerce ·`salert`	1.3.0	9k+	3mo ago	Active
Active Campaign & Contact Form 7 ·`wpop-accf`	1.2.3	3k+	10mo ago	Active
Operation Demo Importer – Demo Importer For WPoperation Themes ·`operation-demo-importer`	1.2.0	1k+	1y ago	Active
Ultra Companion – Companion plugin for WPoperation Themes ·`ultra-companion`	1.2.0	1k+	2y ago	Active
WPoperation Elementor Addons ·`wpop-elementor-addons`	1.1.9	1k+	1y ago	Active
Active Campaign & WPForms ·`active-campaign-wpforms`	1.1.1	400	1y ago	Active
WPOP Contact Form 7 to Hubspot ·`wpop-contactform-hubspot`	1.0.9	200	3y ago	Active
WPOP's WPForms to HubSpot ·`wpop-wpforms-to-hubspot`	1.0.5	50	3y ago	Active
WooCommerce to ActiveCampaign by WPOP ·`ecommerce-to-activecampaign`	1.0.4	—	—	Closed
Store Booster Lite ·`store-booster-lite`	1.0.0	—	4y ago	Active

SVN commit access (6)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin	Primary author	Installs	Commits	First	Latest	Status
SALERT – Fake Sales Notification WooCommerce	wpoperations	9k+	36	7y ago	3mo ago	Active
Active Campaign & Contact Form 7	wpoperations	3k+	33	7y ago	10mo ago	Active
Operation Demo Importer – Demo Importer For WPoperation Themes	wpoperations	1k+	26	7y ago	1y ago	Active
Ultra Companion – Companion plugin for WPoperation Themes	wpoperations	1k+	24	7y ago	2y ago	Active
WPoperation Elementor Addons	wpoperations	1k+	21	7y ago	1y ago	Active
Active Campaign & WPForms	wpoperations	400	13	6y ago	1y ago	Active