WP Beacon

Content Egg – Affiliate Product Importer & Price Comparison

content-egg · by keywordrush · wordpress.org ↗ · SVN ↗
Active installs
10k+
Current version
11.0.0
Added
2015-08-28
Last updated
2026-04-24 (28d ago)
First seen by beacon
1mo ago
Total downloads
633,480

Historical audits (1)

Past investigations, all resolved. No current threat.
  • Benign Audit #15 baseline 11.0.0 → head 11.0.0 24d ago

Alerts (0)

No open alerts.

Show 4 resolved alerts
Critical code_scan_match Resolved · already_audit_15 2026-05-05 13:06:06 (17d ago)
Slugcontent-egg
Finding count3
Findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinapplication/libs/RestClient.php240L224: $error_mess .= ' Server replay: ' . \wp_remote_retrieve_body($response); → L240: $res = @unserialize($response);high
hardcoded_ip_urlbuiltinapplication/libs/admitad/AdmitadProducts.php22const API_URI_BASE = 'http://185.58.206.88/wp';high
http://185.58.206.88/wpioc:urlapplication/libs/admitad/AdmitadProducts.php22const API_URI_BASE = 'http://185.58.206.88/wp';medium
Resolved sha080032542a37c0a08bd49e58d34ba62518d465c6
View raw JSON
{
    "slug": "content-egg",
    "finding_count": 3,
    "findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "application/libs/RestClient.php",
            "line": 240,
            "snippet": "L224: $error_mess .= ' Server replay: ' . \\wp_remote_retrieve_body($response);  \u2192  L240: $res = @unserialize($response);",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "application/libs/admitad/AdmitadProducts.php",
            "line": 22,
            "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';",
            "confidence": "high"
        },
        {
            "pattern": "http://185.58.206.88/wp",
            "kind": "ioc:url",
            "file": "application/libs/admitad/AdmitadProducts.php",
            "line": 22,
            "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';",
            "confidence": "medium"
        }
    ],
    "resolved_sha": "080032542a37c0a08bd49e58d34ba62518d465c6"
}
Medium code_scan_delta Resolved · audit:benign 2026-04-30 08:31:37 (22d ago)
Slugcontent-egg
Previous version11.0.0
Current version11.0.0
New findings
PatternKindFileLineSnippetConfidence
http://185.58.206.88/wpioc:urlapplication/libs/admitad/AdmitadProducts.php22const API_URI_BASE = 'http://185.58.206.88/wp';medium
New finding count1
View raw JSON
{
    "slug": "content-egg",
    "previous_version": "11.0.0",
    "current_version": "11.0.0",
    "new_findings": [
        {
            "pattern": "http://185.58.206.88/wp",
            "kind": "ioc:url",
            "file": "application/libs/admitad/AdmitadProducts.php",
            "line": 22,
            "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';",
            "confidence": "medium"
        }
    ],
    "new_finding_count": 1
}
Critical code_pattern Resolved · audit:benign 2026-04-28 09:54:20 (24d ago)
Slugcontent-egg
Patternhardcoded_ip_url
Kindbuiltin
Version11.0.0
Hit count1
First hit
File
application/libs/admitad/AdmitadProducts.php
Line
22
Snippet
const API_URI_BASE = 'http://185.58.206.88/wp';
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "content-egg",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "11.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "application/libs/admitad/AdmitadProducts.php",
        "line": 22,
        "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
Critical code_pattern Resolved · audit:benign 2026-04-28 09:54:20 (24d ago)
Slugcontent-egg
Patternunserialize_after_remote_call
Kindbuiltin
Version11.0.0
Hit count1
First hit
File
application/libs/RestClient.php
Line
240
Snippet
L224: $error_mess .= ' Server replay: ' . \wp_remote_retrieve_body($response); → L240: $res = @unserialize($response);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "content-egg",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "11.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "application/libs/RestClient.php",
        "line": 240,
        "snippet": "L224: $error_mess .= ' Server replay: ' . \\wp_remote_retrieve_body($response);  \u2192  L240: $res = @unserialize($response);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to content-egg on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
keywordrush Young account 2015-08-17 4 2015-08-28 · r1233140 2026-04-24 · r3514625
plugin-master 2007-03-09 1 2015-08-27 · r1232523 2015-08-27 · r1232523

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
keywordrush 2015-08-17 4 commits Active

Versions (55 most recent)

Version Released Download
11.0.0 2026-04-24 · 28d ago zip
10.1.0 2025-11-25 · 5mo ago zip
10.0.0 2025-10-19 · 7mo ago zip
9.0.2 2025-08-26 · 8mo ago zip
9.0.1 2025-08-23 · 9mo ago zip
9.0.0 2025-08-20 · 9mo ago zip
8.0.0 2025-04-30 · 1y ago zip
7.0.0 2024-07-23 · 1y ago zip
6.0.0 2023-08-21 · 2y ago zip
5.5.0 2022-11-01 · 3y ago zip
5.4.0 2022-04-25 · 4y ago zip
5.3.0 2022-04-04 · 4y ago zip
5.2.1 2021-06-12 · 4y ago zip
5.2.0 2021-06-11 · 4y ago zip
5.1.0 2020-12-22 · 5y ago zip
5.0.0 2020-10-25 · 5y ago zip
4.9.8 2019-05-12 · 7y ago zip
4.8.0 2018-07-25 · 7y ago zip
4.5.0 2018-03-18 · 8y ago zip
4.4.3 2018-02-08 · 8y ago zip
4.3.0 2017-12-01 · 8y ago zip
4.2.1 2017-11-04 · 8y ago zip
4.0.3 2017-09-15 · 8y ago zip
3.9.1 2017-08-02 · 8y ago zip
3.9.0 2017-07-29 · 8y ago zip
3.7.0 2017-05-29 · 8y ago zip
3.6.2 2017-04-26 · 9y ago zip
3.5.1 2017-03-07 · 9y ago zip
3.5.0 2017-03-07 · 9y ago zip
3.4.1 2017-02-21 · 9y ago zip
3.2.1 2017-01-24 · 9y ago zip
3.2.0 2017-01-24 · 9y ago zip
3.0.5 2016-12-29 · 9y ago zip
3.0.2 2016-12-14 · 9y ago zip
3.0.1 2016-12-14 · 9y ago zip
3.0.0 2016-12-14 · 9y ago zip
2.9.1 2016-11-29 · 9y ago zip
2.9.0 2016-11-27 · 9y ago zip
2.8.1 2016-10-26 · 9y ago zip
2.8.0 2016-10-26 · 9y ago zip
2.7.0 2016-09-16 · 9y ago zip
2.6.1 2016-09-02 · 9y ago zip
2.6.0 2016-08-27 · 9y ago zip
2.5.1 2016-08-15 · 9y ago zip
2.4.2 2016-05-27 · 9y ago zip
2.4.0 2016-05-26 · 9y ago zip
2.3.0 2016-04-03 · 10y ago zip
2.2.0 2016-03-08 · 10y ago zip
2.1.0 2015-12-04 · 10y ago zip
2.0.1 2015-10-31 · 10y ago zip
1.9.0 2015-10-10 · 10y ago zip
1.8.0 2015-09-18 · 10y ago zip
1.7.1 2015-09-02 · 10y ago zip
1.6.1 2015-08-30 · 10y ago zip
1.6.0 2015-08-28 · 10y ago zip