Plugin: cf7-telegram

Alerts (0)

No open alerts.

Show 3 resolved alerts

Medium code_pattern Resolved · redetect_dupe_of_closed 2026-04-25 10:31:06 (7d ago)

Slug	cf7-telegram
Pattern	`puc_update_hijack`
Kind	`builtin`
Version	`1.0.8`
Hit count	1
First hit	File `lib/Settings.php` Line 170 Snippet `$updateChecker = PucFactory::buildUpdateChecker(`
Explanation	plugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shape	`github_self_distro`
Url	https://github.com/hokoo/cf7-telegram
Url host	`github.com`
Slug arg	`cf7-telegram`

View raw JSON

{
    "slug": "cf7-telegram",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.0.8",
    "hit_count": 1,
    "first_hit": {
        "file": "lib/Settings.php",
        "line": 170,
        "snippet": "$updateChecker = PucFactory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "github_self_distro",
    "url": "https://github.com/hokoo/cf7-telegram",
    "url_host": "github.com",
    "slug_arg": "cf7-telegram"
}

Medium code_pattern Resolved · false_positive_gated_self_update 2026-04-25 09:44:07 (7d ago)

Slug	cf7-telegram
Pattern	`puc_update_hijack`
Kind	`builtin`
Version	`1.0.8`
Hit count	1
First hit	File `lib/Settings.php` Line 170 Snippet `$updateChecker = PucFactory::buildUpdateChecker(`
Explanation	plugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shape	`github_self_distro`
Url	https://github.com/hokoo/cf7-telegram
Url host	`github.com`
Slug arg	`cf7-telegram`

View raw JSON

{
    "slug": "cf7-telegram",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.0.8",
    "hit_count": 1,
    "first_hit": {
        "file": "lib/Settings.php",
        "line": 170,
        "snippet": "$updateChecker = PucFactory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "github_self_distro",
    "url": "https://github.com/hokoo/cf7-telegram",
    "url_host": "github.com",
    "slug_arg": "cf7-telegram"
}

Medium code_pattern Resolved · false_positive_gated_self_update 2026-04-25 00:52:44 (7d ago)

Slug	cf7-telegram
Pattern	`puc_update_hijack`
Kind	`builtin`
Version	`1.0.8`
Hit count	1
First hit	File `lib/Settings.php` Line 170 Snippet `$updateChecker = PucFactory::buildUpdateChecker(`
Explanation	plugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shape	`github_self_distro`
Url	https://github.com/hokoo/cf7-telegram
Url host	`github.com`
Slug arg	`cf7-telegram`

View raw JSON

{
    "slug": "cf7-telegram",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.0.8",
    "hit_count": 1,
    "first_hit": {
        "file": "lib/Settings.php",
        "line": 170,
        "snippet": "$updateChecker = PucFactory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "github_self_distro",
    "url": "https://github.com/hokoo/cf7-telegram",
    "url_host": "github.com",
    "slug_arg": "cf7-telegram"
}

SVN committers (2)

Accounts with actual commit access to cf7-telegram on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
iTRON	2011-11-03	90	2018-08-01 · r1918431	2026-04-03 · r3498221
plugin-master	2007-03-09	1	2018-08-01 · r1918410	2018-08-01 · r1918410

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
iTRON	2011-11-03	90 commits	Active
igortron	2026-03-04	—	Active

Versions (45 most recent)

Version	Released	Download
1.0.8	2026-04-03 · 29d ago	zip
1.0.7	2026-04-02 · 1mo ago	zip
1.0.6	2026-04-01 · 1mo ago	zip
1.0.5	2026-03-30 · 1mo ago	zip
1.0.4	2026-01-23 · 3mo ago	zip
1.0.3	2026-01-23 · 3mo ago	zip
1.0.2	2026-01-23 · 3mo ago	zip
1.0.1	2026-01-23 · 3mo ago	zip
1.0.0	2026-01-22 · 3mo ago	zip
-1.0.0	2026-01-22 · 3mo ago	zip
0.11	2025-12-05 · 4mo ago	zip
0.10.2	2025-12-04 · 4mo ago	zip
0.10.1	2025-12-01 · 5mo ago	zip
0.10.0	2025-04-25 · 1y ago	zip
0.9.3	2025-04-24 · 1y ago	zip
0.9.2	2025-04-24 · 1y ago	zip
0.9	2025-04-23 · 1y ago	zip
0.8.7	2025-03-07 · 1y ago	zip
0.8.6	2024-10-27 · 1y ago	zip
0.8.5	2024-10-12 · 1y ago	zip
0.8.4	2024-05-26 · 1y ago	zip
0.8.3	2024-04-15 · 2y ago	zip
0.8.2	2024-04-15 · 2y ago	zip
0.8.1	2024-02-05 · 2y ago	zip
0.8	2020-09-22 · 5y ago	zip
0.7.10.1	2020-04-18 · 6y ago	zip
0.7.10	2020-04-18 · 6y ago	zip
0.7.9	2020-04-18 · 6y ago	zip
0.7.8	2020-02-27 · 6y ago	zip
0.7.7	2020-02-17 · 6y ago	zip
0.7.6	2020-02-11 · 6y ago	zip
0.7.5	2020-02-09 · 6y ago	zip
0.7.4	2020-02-09 · 6y ago	zip
0.7.3	2020-02-09 · 6y ago	zip
0.7.2	2020-02-09 · 6y ago	zip
0.7	2020-02-08 · 6y ago	zip
0.7.1	2020-02-08 · 6y ago	zip
0.6.2	2019-12-05 · 6y ago	zip
0.6.1	2019-11-25 · 6y ago	zip
0.6	2019-11-24 · 6y ago	zip
0.5	2019-10-22 · 6y ago	zip
0.4	2019-10-22 · 6y ago	zip
0.3	2018-11-26 · 7y ago	zip
0.2	2018-10-20 · 7y ago	zip
0.1	2018-09-30 · 7y ago	zip

Message Bridge for Contact Form 7 and Telegram

Alerts (0)

SVN committers (2)

Readme contributors (2)

Versions (45 most recent)