ApplyOnline – Application Form Builder and Manager

apply-online · by farhannoor · wordpress.org ↗ · SVN ↗

Active installs: 3k+
Current version: 2.6.8.1
Added: 2015-11-27
Last updated: 2026-02-24 (2mo ago)
First seen by beacon: 11d ago
Total downloads: 238,231

Alerts (0)

No open alerts.

Show 1 resolved alert

Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:30 (2d ago)

Slug	apply-online
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`2.6.8.1`
Hit count	1
First hit	File `class-addons-update.php` Line 153 Snippet L149: $request = wp_remote_post($this->update_path, $params ); → L153: return @unserialize( $request['body'] );
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "apply-online",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.6.8.1",
    "hit_count": 1,
    "first_hit": {
        "file": "class-addons-update.php",
        "line": 153,
        "snippet": "L149: $request = wp_remote_post($this->update_path, $params );  \u2192  L153: return @unserialize( $request['body'] );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to apply-online on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
Farhan Noor	2013-11-03	236	2015-11-27 · r1296104	2026-02-24 · r3468892
plugin-master	2007-03-09	1	2015-11-27 · r1295373	2015-11-27 · r1295373

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
Farhan Noor	2013-11-03	—	Active

Versions (91 most recent)

Version	Released	Download
2.6.8.1	2026-02-24 · 2mo ago	zip
2.6.8	2026-02-20 · 2mo ago	zip
2.6.7.6	2026-01-23 · 3mo ago	zip
2.6.7.5	2026-01-17 · 3mo ago	zip
2.6.7.4	2026-01-14 · 3mo ago	zip
2.6.7.3	2026-01-03 · 3mo ago	zip
2.6.7.2	2025-05-20 · 11mo ago	zip
2.6.7.1	2024-12-19 · 1y ago	zip
2.6.7	2024-12-16 · 1y ago	zip
2.6.6	2024-11-15 · 1y ago	zip
2.6.5	2024-09-22 · 1y ago	zip
2.6.4	2024-09-17 · 1y ago	zip
2.6.3	2024-09-04 · 1y ago	zip
2.6.2	2024-05-27 · 1y ago	zip
2.6.1	2024-05-22 · 1y ago	zip
2.6	2024-04-09 · 2y ago	zip
2.5.7	2024-03-30 · 2y ago	zip
2.5.6	2024-03-16 · 2y ago	zip
2.5.5	2024-02-18 · 2y ago	zip
2.5.4.2	2024-01-15 · 2y ago	zip
2.5.4.1	2024-01-13 · 2y ago	zip
2.5.4	2023-12-28 · 2y ago	zip
2.5.3	2023-11-13 · 2y ago	zip
2.5.2	2023-08-18 · 2y ago	zip
2.5.1	2023-08-07 · 2y ago	zip
2.5	2023-06-01 · 2y ago	zip
2.4.4	2023-04-10 · 3y ago	zip
2.4.3	2022-09-07 · 3y ago	zip
2.4.2	2022-03-16 · 4y ago	zip
2.4.1	2022-02-03 · 4y ago	zip
2.4	2021-08-31 · 4y ago	zip
2.3	2021-03-19 · 5y ago	zip
2.2.2	2020-07-30 · 5y ago	zip
2.2.1	2020-06-29 · 5y ago	zip
2.2	2020-06-27 · 5y ago	zip
2.1.1	2020-05-08 · 5y ago	zip
2.1	2020-05-02 · 6y ago	zip
2.0.6	2020-05-02 · 6y ago	zip
2.0.5	2020-03-11 · 6y ago	zip
2.0.4	2020-03-02 · 6y ago	zip
2.0.3	2020-01-27 · 6y ago	zip
2.0.2	2019-12-14 · 6y ago	zip
2.0.1	2019-11-28 · 6y ago	zip
2.0	2019-11-19 · 6y ago	zip
1.9.98	2019-11-01 · 6y ago	zip
1.9.97	2019-09-25 · 6y ago	zip
1.9.96	2019-09-21 · 6y ago	zip
1.9.95	2019-08-23 · 6y ago	zip
1.9.94	2019-05-14 · 6y ago	zip
1.9.93	2019-04-25 · 7y ago	zip
1.9.92	2019-04-14 · 7y ago	zip
1.9.91	2019-02-13 · 7y ago	zip
1.9.9.9	2019-01-03 · 7y ago	zip
1.9.9.8	2019-01-03 · 7y ago	zip
1.9.9.7	2018-08-21 · 7y ago	zip
1.9.9.6	2018-07-16 · 7y ago	zip
1.9.9.5	2018-06-14 · 7y ago	zip
1.9.9.4	2018-06-13 · 7y ago	zip
1.9.9.3	2018-06-13 · 7y ago	zip
1.9.9.2	2018-06-10 · 7y ago	zip
1.9.9.1	2018-06-07 · 7y ago	zip
1.9.9	2018-06-07 · 7y ago	zip
1.9.8.1	2018-05-07 · 7y ago	zip
1.9.8	2018-04-15 · 8y ago	zip
1.9.7	2018-04-12 · 8y ago	zip
1.9.6	2018-03-29 · 8y ago	zip
1.9.5	2018-03-08 · 8y ago	zip
1.9.4	2018-03-07 · 8y ago	zip
1.9.3	2018-02-24 · 8y ago	zip
1.9.1	2018-02-20 · 8y ago	zip
1.9.2	2018-02-20 · 8y ago	zip
1.9	2018-02-20 · 8y ago	zip
1.8.3	2017-10-14 · 8y ago	zip
1.8.2	2017-10-11 · 8y ago	zip
1.8.1	2017-09-28 · 8y ago	zip
1.8	2017-09-24 · 8y ago	zip
1.7.1	2017-08-21 · 8y ago	zip
1.7.2	2017-08-21 · 8y ago	zip
1.7	2017-07-31 · 8y ago	zip
1.6.3	2017-04-09 · 9y ago	zip
1.6.2	2017-04-03 · 9y ago	zip
1.6.1	2017-03-28 · 9y ago	zip
1.6	2017-03-23 · 9y ago	zip
1.5.1	2016-12-01 · 9y ago	zip
1.5	2016-11-24 · 9y ago	zip
1.4	2016-08-17 · 9y ago	zip
1.3	2016-04-16 · 10y ago	zip
1.2.1	2015-12-21 · 10y ago	zip
1.2	2015-12-20 · 10y ago	zip
1.1	2015-12-08 · 10y ago	zip
1.0	2015-11-28 · 10y ago	zip