WP Beacon

Online Payment for Bank Mellat

bank-mellat · by zabdolahzadeh · wordpress.org ↗ · SVN ↗
Active installs
100
Current version
2.0.2
Added
2014-11-05
Last updated
2026-02-13 (3mo ago)
First seen by beacon
1mo ago
Total downloads
23,955

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · vendor_self_publishing_iranian_bank_sms_gateway 2026-05-08 11:25:12 (1mo ago)
Slugbank-mellat
Patternhardcoded_ip_url
Kindbuiltin
Version2.0.2
Hit count6
First hit
File
includes/BankMellat/class-bank-mellat-sms.php
Line
40
Snippet
$result = wp_remote_get( 'http://185.4.28.180/class/sms/webservice/send_url.php?from=' . $sms_line_number . '&to=' . $admin_mobile . '&msg=' . urlencode( $sms_text ) . '&uname=' . $sms_user_name .
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "bank-mellat",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "2.0.2",
    "hit_count": 6,
    "first_hit": {
        "file": "includes/BankMellat/class-bank-mellat-sms.php",
        "line": 40,
        "snippet": "$result = wp_remote_get( 'http://185.4.28.180/class/sms/webservice/send_url.php?from=' . $sms_line_number . '&to=' . $admin_mobile . '&msg=' . urlencode( $sms_text ) . '&uname=' . $sms_user_name ."
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

SVN committers (5)

Accounts with actual commit access to bank-mellat on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
theboy007 Young account 2014-11-04 20 2014-11-05 · r1020029 2017-06-13 · r1677227
ParsMizban 2012-06-23 10 2017-06-13 · r1677252 2026-02-13 · r3461054
Farhad Sakhaei 2021-11-25 5 2024-09-02 · r3145591 2024-09-02 · r3145597
DediData 2017-11-08 1 2024-04-13 · r3069969 2024-04-13 · r3069969
plugin-master 2007-03-09 1 2014-11-04 · r1019757 2014-11-04 · r1019757

Readme contributors (3)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
ParsMizban 2012-06-23 10 commits Active
Farhad Sakhaei 2021-11-25 5 commits Active
theboy007 2014-11-04 Active

Versions (5 most recent)

Version Released Download
2.0.2 2026-02-13 · 3mo ago zip
2.0.1 2024-09-02 · 1y ago zip
1.0 2024-04-13 · 2y ago zip
1.3.5 2024-04-13 · 2y ago zip
1.3.7 2024-04-13 · 2y ago zip