WP Beacon

Content Egg – Affiliate Product Importer & Price Comparison

content-egg · by keywordrush · wordpress.org ↗ · SVN ↗
Active installs
10k+
Current version
11.0.0
Added
2015-08-28
Last updated
2026-04-24 (8d ago)
First seen by beacon
11d ago
Total downloads
632,955

Historical audits (1)

Past investigations, all resolved. No current threat.
  • Benign Audit #15 baseline 11.0.0 → head 11.0.0 4d ago

Alerts (0)

No open alerts.

Show 3 resolved alerts
Medium code_scan_delta Resolved · audit:benign 2026-04-30 08:31:37 (2d ago)
Slugcontent-egg
Previous version11.0.0
Current version11.0.0
New findings
PatternKindFileLineSnippetConfidence
http://185.58.206.88/wpioc:urlapplication/libs/admitad/AdmitadProducts.php22const API_URI_BASE = 'http://185.58.206.88/wp';medium
New finding count1
View raw JSON
{
    "slug": "content-egg",
    "previous_version": "11.0.0",
    "current_version": "11.0.0",
    "new_findings": [
        {
            "pattern": "http://185.58.206.88/wp",
            "kind": "ioc:url",
            "file": "application/libs/admitad/AdmitadProducts.php",
            "line": 22,
            "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';",
            "confidence": "medium"
        }
    ],
    "new_finding_count": 1
}
Critical code_pattern Resolved · audit:benign 2026-04-28 09:54:20 (4d ago)
Slugcontent-egg
Patternhardcoded_ip_url
Kindbuiltin
Version11.0.0
Hit count1
First hit
File
application/libs/admitad/AdmitadProducts.php
Line
22
Snippet
const API_URI_BASE = 'http://185.58.206.88/wp';
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "content-egg",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "11.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "application/libs/admitad/AdmitadProducts.php",
        "line": 22,
        "snippet": "const API_URI_BASE = 'http://185.58.206.88/wp';"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
Critical code_pattern Resolved · audit:benign 2026-04-28 09:54:20 (4d ago)
Slugcontent-egg
Patternunserialize_after_remote_call
Kindbuiltin
Version11.0.0
Hit count1
First hit
File
application/libs/RestClient.php
Line
240
Snippet
L224: $error_mess .= ' Server replay: ' . \wp_remote_retrieve_body($response); → L240: $res = @unserialize($response);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "content-egg",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "11.0.0",
    "hit_count": 1,
    "first_hit": {
        "file": "application/libs/RestClient.php",
        "line": 240,
        "snippet": "L224: $error_mess .= ' Server replay: ' . \\wp_remote_retrieve_body($response);  \u2192  L240: $res = @unserialize($response);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to content-egg on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
keywordrush Young account 2015-08-17 4 2015-08-28 · r1233140 2026-04-24 · r3514625
plugin-master 2007-03-09 1 2015-08-27 · r1232523 2015-08-27 · r1232523

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
keywordrush 2015-08-17 4 commits Active

Versions (55 most recent)

Version Released Download
11.0.0 2026-04-24 · 8d ago zip
10.1.0 2025-11-25 · 5mo ago zip
10.0.0 2025-10-19 · 6mo ago zip
9.0.2 2025-08-26 · 8mo ago zip
9.0.1 2025-08-23 · 8mo ago zip
9.0.0 2025-08-20 · 8mo ago zip
8.0.0 2025-04-30 · 1y ago zip
7.0.0 2024-07-23 · 1y ago zip
6.0.0 2023-08-21 · 2y ago zip
5.5.0 2022-11-01 · 3y ago zip
5.4.0 2022-04-25 · 4y ago zip
5.3.0 2022-04-04 · 4y ago zip
5.2.1 2021-06-12 · 4y ago zip
5.2.0 2021-06-11 · 4y ago zip
5.1.0 2020-12-22 · 5y ago zip
5.0.0 2020-10-25 · 5y ago zip
4.9.8 2019-05-12 · 6y ago zip
4.8.0 2018-07-25 · 7y ago zip
4.5.0 2018-03-18 · 8y ago zip
4.4.3 2018-02-08 · 8y ago zip
4.3.0 2017-12-01 · 8y ago zip
4.2.1 2017-11-04 · 8y ago zip
4.0.3 2017-09-15 · 8y ago zip
3.9.1 2017-08-02 · 8y ago zip
3.9.0 2017-07-29 · 8y ago zip
3.7.0 2017-05-29 · 8y ago zip
3.6.2 2017-04-26 · 9y ago zip
3.5.1 2017-03-07 · 9y ago zip
3.5.0 2017-03-07 · 9y ago zip
3.4.1 2017-02-21 · 9y ago zip
3.2.1 2017-01-24 · 9y ago zip
3.2.0 2017-01-24 · 9y ago zip
3.0.5 2016-12-29 · 9y ago zip
3.0.2 2016-12-14 · 9y ago zip
3.0.1 2016-12-14 · 9y ago zip
3.0.0 2016-12-14 · 9y ago zip
2.9.1 2016-11-29 · 9y ago zip
2.9.0 2016-11-27 · 9y ago zip
2.8.1 2016-10-26 · 9y ago zip
2.8.0 2016-10-26 · 9y ago zip
2.7.0 2016-09-16 · 9y ago zip
2.6.1 2016-09-02 · 9y ago zip
2.6.0 2016-08-27 · 9y ago zip
2.5.1 2016-08-15 · 9y ago zip
2.4.2 2016-05-27 · 9y ago zip
2.4.0 2016-05-26 · 9y ago zip
2.3.0 2016-04-03 · 10y ago zip
2.2.0 2016-03-08 · 10y ago zip
2.1.0 2015-12-04 · 10y ago zip
2.0.1 2015-10-31 · 10y ago zip
1.9.0 2015-10-10 · 10y ago zip
1.8.0 2015-09-18 · 10y ago zip
1.7.1 2015-09-02 · 10y ago zip
1.6.1 2015-08-30 · 10y ago zip
1.6.0 2015-08-28 · 10y ago zip