WP Beacon

Category Country Aware WordPress

category-country-aware · by wrigs1 · wordpress.org ↗ · SVN ↗
Active installs
200
Current version
1.2.3
Added
2014-11-18
Last updated
2021-03-24 (5y ago)
First seen by beacon
1mo ago
Total downloads
9,010

Historical audits (1)

Past investigations, all resolved. No current threat.
  • Suspicious Audit #37 baseline → head 1.2.3 1mo ago

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · audit:suspicious 2026-05-08 09:56:56 (1mo ago)
Slugcategory-country-aware
Patternpuc_update_hijack
Kindbuiltin
Version1.2.3
Hit count1
First hit
File
cca_init.php
Line
20
Snippet
$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker('http://blog.XXXXXXXXXXXX.com/meta_cca.json', __FILE__, 'category-country-aware');
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapehijack
Urlhttp://blog.XXXXXXXXXXXX.com/meta_cca.json
Url hostblog.XXXXXXXXXXXX.com
Slug argcategory-country-aware
View raw JSON
{
    "slug": "category-country-aware",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.2.3",
    "hit_count": 1,
    "first_hit": {
        "file": "cca_init.php",
        "line": 20,
        "snippet": "$myUpdateChecker = Puc_v4_Factory::buildUpdateChecker('http://blog.XXXXXXXXXXXX.com/meta_cca.json',\t__FILE__,\t'category-country-aware');"
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "hijack",
    "url": "http://blog.XXXXXXXXXXXX.com/meta_cca.json",
    "url_host": "blog.XXXXXXXXXXXX.com",
    "slug_arg": "category-country-aware"
}

SVN committers (2)

Accounts with actual commit access to category-country-aware on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
wrigs1 2010-09-29 49 2014-11-18 · r1028163 2021-03-24 · r2502450
plugin-master 2007-03-09 1 2014-11-18 · r1028092 2014-11-18 · r1028092

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
wrigs1 2010-09-29 49 commits Active

Versions (14 most recent)

Version Released Download
1.2.3 2018-07-01 · 7y ago zip
1.2.2 2018-05-27 · 8y ago zip
1.2.1 2018-05-25 · 8y ago zip
1.2.0 2018-05-02 · 8y ago zip
1.1.0 2017-09-12 · 8y ago zip
1.0.1 2017-07-24 · 8y ago zip
0.9.2 2015-08-09 · 10y ago zip
0.9.1 2015-08-02 · 10y ago zip
0.9.0 2015-05-14 · 11y ago zip
0.8.5 2015-03-18 · 11y ago zip
0.8.0 2015-01-24 · 11y ago zip
0.7.7 2015-01-22 · 11y ago zip
0.7.0 2014-12-06 · 11y ago zip
0.6.1 2014-11-19 · 11y ago zip