Active-install and ratings figures are the last values WP Beacon captured before wordpress.org closed this plugin — wp.org no longer publishes them. Daily downloads are still updated.
Downloads today
2,697
7-day total 9,741
Week over week
▲ +27%
vs prior 7 days
30-day trend
rising
▼ -13%MoM
Abandonment
●●○○○
closed on wp.org
Downloads/dayLinear trend
Active versions
8.4other8.28.3
8.4 · 40.8%other · 38.1%8.2 · 10.6%8.3 · 10.6%
Ratings last captured
No ratings data.
Historical audits (1)
Past investigations, all resolved. No current threat.
a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
"slug": "chatbot",
"pattern": "unserialize_after_remote_call",
"kind": "builtin",
"version": "8.2.4",
"hit_count": 2,
"first_hit": {
"file": "includes/integration/openai/plugin-upgrader/classes/plugin-upgrader.php",
"line": 190,
"snippet": "L185: $request = wp_remote_post($this->update_path, $params ); \u2192 L190: return @unserialize( $request['body'] );"
},
"explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
SVN committers (2)
Accounts with actual commit access to chatbot on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.
Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?