aapanel WP Toolkit

aapanel-wp-toolkit · by aapanel · wordpress.org ↗ · SVN ↗
Active installs
2k+
Current version
1.2
Added
2025-02-10
Last updated
2025-07-29 (11mo ago)
First seen by beacon
2mo ago
Total downloads
4,948

Statistics

2025-01-07 → 2026-06-15 · 525 days
Downloads today
4
7-day total 67
Week over week
▼ -29%
vs prior 7 days
30-day trend
flat
▼ -4% MoM
Abandonment
●○○○○
install base on one version
Downloads/day Linear trend
44133122111002025-012025-042025-062025-092025-122026-032026-06
6750341702026-032026-042026-042026-052026-052026-06
322416802026-052026-052026-052026-062026-062026-06

Active versions

1.2
1.2 · 96.0%other · 4.1%

Ratings

5★
1
4★
0
3★
0
2★
0
1★
0

Support: 0/0 resolved

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · false_positive_defensive_string_check 2026-04-30 15:25:31 (2mo ago)
Slugaapanel-wp-toolkit
Patternserialized_admin_role
Kindbuiltin
Version1.2
Hit count1
First hit
File
includes/class-aapanel-wp-toolkit-agent.php
Line
47
Snippet
$user_id = $wpdb->get_var("select `user_id` from " . $wpdb->usermeta . " where `meta_key` = '" . $wpdb->prefix . "capabilities' and `meta_value` like '%s:13:\"administrator\";b:1;%'"); // retrieve s
Explanationplugin source contains `s:13:"administrator"` — the PHP-serialized representation of the `administrator` role meta value. Used to bypass `wp_insert_user()` by writing directly to `wp_usermeta` with a hand-crafted capabilities string. Near-zero FP because legit code uses `WP_User::set_role()` instead of building the serialized form by hand.
View raw JSON
{
    "slug": "aapanel-wp-toolkit",
    "pattern": "serialized_admin_role",
    "kind": "builtin",
    "version": "1.2",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/class-aapanel-wp-toolkit-agent.php",
        "line": 47,
        "snippet": "$user_id = $wpdb->get_var(\"select `user_id` from \" . $wpdb->usermeta . \" where `meta_key` = '\" . $wpdb->prefix . \"capabilities' and `meta_value` like '%s:13:\\\"administrator\\\";b:1;%'\"); // retrieve s"
    },
    "explanation": "plugin source contains `s:13:\"administrator\"` \u2014 the PHP-serialized representation of the `administrator` role meta value. Used to bypass `wp_insert_user()` by writing directly to `wp_usermeta` with a hand-crafted capabilities string. Near-zero FP because legit code uses `WP_User::set_role()` instead of building the serialized form by hand."
}

SVN committers (2)

Accounts with actual commit access to aapanel-wp-toolkit on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
aapanel 2024-08-08 14 2025-02-10 · r3237706 2025-07-29 · r3335634
plugin-master 2007-03-09 1 2025-01-06 · r3217828 2025-01-06 · r3217828

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
aapanel 2024-08-08 14 commits Active

Versions (3 most recent)

Version Released Download
1.2 2025-07-29 · 11mo ago zip
1.1 2025-07-29 · 11mo ago zip
1.0 2025-02-10 · 1y ago zip