SoftTech-IT bKash, Rocket, Nagad

bkash · by sujon3g · wordpress.org ↗ · SVN ↗
Active installs
6k+
Current version
2.4
Added
2016-09-26
Last updated
2024-10-17 (1y ago)
First seen by beacon
2mo ago
Total downloads
166,518

Statistics

2024-06-17 → 2026-07-01 · 745 days
Downloads today
27
7-day total 206
Week over week
▼ -6%
vs prior 7 days
30-day trend
flat
▼ -33% MoM
Abandonment
●●○○○
no update in >1yr; install base on one version
Downloads/day Linear trend
1k77151425702024-062024-102025-022025-062025-102026-022026-07
10680532702026-042026-042026-052026-052026-062026-06
4937251202026-062026-062026-062026-062026-062026-06

Active versions

2.4
2.4 · 90.8%2.2 · 6.3%other · 2.9%

Ratings

5★
34
4★
1
3★
0
2★
1
1★
6

Support: 0/0 resolved

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · false_positive_legit_ip_use 2026-04-30 15:25:30 (2mo ago)
Slugbkash
Patternhardcoded_ip_url
Kindbuiltin
Version2.4
Hit count1
First hit
File
index.php
Line
82
Snippet
( http://66.45.237.70/api.php )</p>
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "bkash",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "2.4",
    "hit_count": 1,
    "first_hit": {
        "file": "index.php",
        "line": 82,
        "snippet": "( http://66.45.237.70/api.php )</p>"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

SVN committers (2)

Accounts with actual commit access to bkash on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Md. Toriqul Mowla 2014-10-02 29 2016-09-26 · r1502781 2024-10-17 · r3170527
plugin-master 2007-03-09 1 2016-08-29 · r1485960 2016-08-29 · r1485960

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Md. Toriqul Mowla 2014-10-02 29 commits Active
Zinan Nadeem 2013-10-28 Active