Author: wrigs1 – WP Beacon

Alerts (0)

No open alerts.

Show 2 resolved alerts

Critical code_pattern Country Caching For WP Super Cache Resolved · audit:suspicious 1mo ago

Slug	country-caching-extension-for-wp-super-cache
Pattern	`puc_update_hijack`
Kind	`builtin`
Version	`0.8.0`
Hit count	1
First hit	File `cc_wpsc_init.php` Line 17 Snippet `$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker(`
Explanation	plugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shape	`hijack`
Url	http://blog.XXXXXXXX.com/meta_ccwpsc.json
Url host	`blog.XXXXXXXX.com`
Slug arg	`country-caching-extension-for-wp-super-cache`

View raw JSON

{
    "slug": "country-caching-extension-for-wp-super-cache",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "0.8.0",
    "hit_count": 1,
    "first_hit": {
        "file": "cc_wpsc_init.php",
        "line": 17,
        "snippet": "$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "hijack",
    "url": "http://blog.XXXXXXXX.com/meta_ccwpsc.json",
    "url_host": "blog.XXXXXXXX.com",
    "slug_arg": "country-caching-extension-for-wp-super-cache"
}

Critical code_pattern Category Country Aware WordPress Resolved · audit:suspicious 1mo ago

Slug	category-country-aware
Pattern	`puc_update_hijack`
Kind	`builtin`
Version	`1.2.3`
Hit count	1
First hit	File `cca_init.php` Line 20 Snippet $myUpdateChecker = Puc_v4_Factory::buildUpdateChecker('http://blog.XXXXXXXXXXXX.com/meta_cca.json', __FILE__, 'category-country-aware');
Explanation	plugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shape	`hijack`
Url	http://blog.XXXXXXXXXXXX.com/meta_cca.json
Url host	`blog.XXXXXXXXXXXX.com`
Slug arg	`category-country-aware`

View raw JSON

{
    "slug": "category-country-aware",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.2.3",
    "hit_count": 1,
    "first_hit": {
        "file": "cca_init.php",
        "line": 20,
        "snippet": "$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker('http://blog.XXXXXXXXXXXX.com/meta_cca.json',\t__FILE__,\t'category-country-aware');"
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "hijack",
    "url": "http://blog.XXXXXXXXXXXX.com/meta_cca.json",
    "url_host": "blog.XXXXXXXXXXXX.com",
    "slug_arg": "category-country-aware"
}

Plugins authored (5)

Plugin	Version	Installs	Last updated	Status
Country Caching For WP Super Cache ·`country-caching-extension-for-wp-super-cache`	0.8.0	200	5y ago	Active
Category Country Aware WordPress ·`category-country-aware`	1.2.3	200	5y ago	Active
Country Caching Extension ·`country-caching-extension`	1.2.0	10	5y ago	Active
British Embassy Finder ·`british-embassy-finder`	0.8.2	—	10y ago	Active
Travel Advice by Country Widget ·`travel-advice-by-country`	1.1.0	—	—	Closed

SVN commit access (5)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin	Primary author	Installs	Commits	First	Latest	Status
Category Country Aware WordPress	wrigs1	200	49	11y ago	5y ago	Active
Country Caching Extension	wrigs1	10	44	11y ago	5y ago	Active
Travel Advice by Country Widget	wrigs1	—	24	15y ago	10y ago	Closed
Country Caching For WP Super Cache	wrigs1	200	23	11y ago	5y ago	Active
British Embassy Finder	wrigs1	—	3	14y ago	10y ago	Active