Plugin: bold-timeline-lite

Alerts (0)

No open alerts.

Show 3 resolved alerts

Medium code_pattern Resolved · redetect_dupe_of_closed 2026-04-25 10:31:06 (7d ago)

Slug	bold-timeline-lite
Pattern	`puc_update_hijack`
Kind	`builtin`
Version	`1.2.8`
Hit count	1
First hit	File `bold-builder-light/bold-builder-light.php` Line 79 Snippet `$updateChecker = Puc_v4_Factory::buildUpdateChecker(`
Explanation	plugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shape	`unparseable`
Url	—
Url host	—
Slug arg	—

View raw JSON

{
    "slug": "bold-timeline-lite",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.2.8",
    "hit_count": 1,
    "first_hit": {
        "file": "bold-builder-light/bold-builder-light.php",
        "line": 79,
        "snippet": "$updateChecker = Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

Medium code_pattern Resolved · false_positive_gated_self_update 2026-04-25 09:44:07 (7d ago)

Slug	bold-timeline-lite
Pattern	`puc_update_hijack`
Kind	`builtin`
Version	`1.2.8`
Hit count	1
First hit	File `bold-builder-light/bold-builder-light.php` Line 79 Snippet `$updateChecker = Puc_v4_Factory::buildUpdateChecker(`
Explanation	plugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shape	`unparseable`
Url	—
Url host	—
Slug arg	—

View raw JSON

{
    "slug": "bold-timeline-lite",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.2.8",
    "hit_count": 1,
    "first_hit": {
        "file": "bold-builder-light/bold-builder-light.php",
        "line": 79,
        "snippet": "$updateChecker = Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

Medium code_pattern Resolved · false_positive_gated_self_update 2026-04-25 00:52:44 (7d ago)

Slug	bold-timeline-lite
Pattern	`puc_update_hijack`
Kind	`builtin`
Version	`1.2.8`
Hit count	1
First hit	File `bold-builder-light/bold-builder-light.php` Line 79 Snippet `$updateChecker = Puc_v4_Factory::buildUpdateChecker(`
Explanation	plugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shape	`unparseable`
Url	—
Url host	—
Slug arg	—

View raw JSON

{
    "slug": "bold-timeline-lite",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.2.8",
    "hit_count": 1,
    "first_hit": {
        "file": "bold-builder-light/bold-builder-light.php",
        "line": 79,
        "snippet": "$updateChecker = Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

SVN committers (2)

Accounts with actual commit access to bold-timeline-lite on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
boldthemes	2016-11-14	56	2020-03-25 · r2267708	2025-12-11 · r3417223
plugin-master	2007-03-09	1	2020-03-25 · r2267670	2020-03-25 · r2267670

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
boldthemes	2016-11-14	56 commits	Active

Versions (5 most recent)

Version	Released	Download
1.2.8	2025-12-11 · 4mo ago	zip
1.2.7	2025-10-10 · 6mo ago	zip
1.2.6	2025-05-22 · 11mo ago	zip
1.2.4	2025-04-09 · 1y ago	zip
1.1.7	2023-04-11 · 3y ago	zip

Bold Timeline Lite

Alerts (0)

SVN committers (2)

Readme contributors (1)

Versions (5 most recent)