WP Beacon

Print Labels with Barcodes. Create price tags, product labels, order labels for WooCommerce

a4-barcode-generator · by ukrsolution · wordpress.org ↗ · SVN ↗
Active installs
1k+
Current version
3.4.12
Added
2016-07-19
Last updated
2025-09-17 (7mo ago)
First seen by beacon
11d ago
Total downloads
76,040

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:31 (2d ago)
Sluga4-barcode-generator
Patternunserialize_after_remote_call
Kindbuiltin
Version3.4.12
Hit count1
First hit
File
class/Updater/WpAutoUpdate.php
Line
148
Snippet
L145: $request = wp_remote_post($this->update_path, $params); → L148: $serverData = @unserialize($request['body']);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "a4-barcode-generator",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "3.4.12",
    "hit_count": 1,
    "first_hit": {
        "file": "class/Updater/WpAutoUpdate.php",
        "line": 148,
        "snippet": "L145: $request = wp_remote_post($this->update_path, $params);  \u2192  L148: $serverData = @unserialize($request['body']);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to a4-barcode-generator on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Dmitry V. (CEO of "UKR Solution") 2016-01-08 370 2016-07-19 · r1456780 2025-09-17 · r3363259
plugin-master 2007-03-09 1 2016-07-18 · r1456123 2016-07-18 · r1456123

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Dmitry V. (CEO of "UKR Solution") 2016-01-08 370 commits Active