WP Beacon

Countdown Timer Ultimate

countdown-timer-ultimate · by essentialplugin · wordpress.org ↗ · SVN ↗
Acquired by EssentialPlugin (malicious campaign) on 2025-05-12. New committers from that team's naming convention are expected and will not fire takeover events. source ↗
This plugin is closed on wordpress.org. Closed 2026-04-07.
Active installs
20k+
Current version
2.6.9.1
Added
Last updated
First seen by beacon
10d ago
Total downloads

Audits (1)

Malicious Audit #4 baseline 2.6.6 → head 2.6.9.1 suspect essentialplugin 10d ago

Marketplace acquisition of an established 30-plugin portfolio used as a vehicle for a fleet-wide PHP-deserialization RCE backdoor with on-chain C2 resolution.

Read full audit →

Alerts (0)

No open alerts.

Show 16 resolved alerts
Medium author_younger_than_plugin Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Author slugessentialplugin
Author display nameessentialplugin
Author employerEssential Plugin
Author member since2025-05-12
Earliest plugin commit2016-10-01 01:03:27
Plugin age at author join3,144
Author age now days350
Prior committersplugin-master anoopranawat wponlinesupport frantorres
Active installs20,000
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "author_slug": "essentialplugin",
    "author_display_name": "essentialplugin",
    "author_employer": "Essential Plugin",
    "author_member_since": "2025-05-12",
    "earliest_plugin_commit": "2016-10-01 01:03:27",
    "plugin_age_at_author_join": 3144,
    "author_age_now_days": 350,
    "prior_committers": [
        "plugin-master",
        "anoopranawat",
        "wponlinesupport",
        "frantorres"
    ],
    "active_installs": 20000
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Patternanalytics.essentialplugin.com
Kindioc:domain
Version2.6.9.1
Hit count6
First hit
File
countdown-timer.php
Line
42
Snippet
<p><?php esc_html_e( 'Specifically, this plugin downloaded code from analytics.essentialplugin.com and installed it in your site, while the specific case can differ, we know that they were installin
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "analytics.essentialplugin.com",
    "kind": "ioc:domain",
    "version": "2.6.9.1",
    "hit_count": 6,
    "first_hit": {
        "file": "countdown-timer.php",
        "line": 42,
        "snippet": "<p><?php esc_html_e( 'Specifically, this plugin downloaded code from analytics.essentialplugin.com and installed it in your site, while the specific case can differ, we know that they were installin"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
PatternPlugin Wpos Analytics Data Starts
Kindioc:code_pattern
Version2.6.9.1
Hit count1
First hit
File
countdown-timer.php
Line
317
Snippet
/* Plugin Wpos Analytics Data Starts */
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "Plugin Wpos Analytics Data Starts",
    "kind": "ioc:code_pattern",
    "version": "2.6.9.1",
    "hit_count": 1,
    "first_hit": {
        "file": "countdown-timer.php",
        "line": 317,
        "snippet": "/* Plugin Wpos Analytics Data Starts */"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Patternunserialize_after_remote_call
Kindbuiltin
Version2.6.9.1
Hit count1
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
696
Snippet
L690: $data = @file_get_contents($url); → L696: $info = @unserialize($data);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.6.9.1",
    "hit_count": 1,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 696,
        "snippet": "L690: $data = @file_get_contents($url);  \u2192  L696: $info = @unserialize($data);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
PatternWpos_Anylc_Admin
Kindioc:code_pattern
Version2.6.9.1
Hit count6
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
15
Snippet
class Wpos_Anylc_Admin {
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "Wpos_Anylc_Admin",
    "kind": "ioc:code_pattern",
    "version": "2.6.9.1",
    "hit_count": 6,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 15,
        "snippet": "class Wpos_Anylc_Admin {"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Patternwpos_rest_api_init
Kindioc:code_pattern
Version2.6.9.1
Hit count2
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
72
Snippet
add_action( 'rest_api_init', array($this, 'wpos_rest_api_init') );
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "wpos_rest_api_init",
    "kind": "ioc:code_pattern",
    "version": "2.6.9.1",
    "hit_count": 2,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 72,
        "snippet": "add_action( 'rest_api_init', array($this, 'wpos_rest_api_init') );"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Patternwpos_handle_analytics_request
Kindioc:code_pattern
Version2.6.9.1
Hit count2
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
593
Snippet
'callback' => array( $this, 'wpos_handle_analytics_request' ),
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "wpos_handle_analytics_request",
    "kind": "ioc:code_pattern",
    "version": "2.6.9.1",
    "hit_count": 2,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 593,
        "snippet": "'callback'            => array( $this, 'wpos_handle_analytics_request' ),"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Patternwpos_get_plugin_version_by_file
Kindioc:code_pattern
Version2.6.9.1
Hit count2
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
657
Snippet
$version = $this->wpos_get_plugin_version_by_file($matching_product['file']);
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "wpos_get_plugin_version_by_file",
    "kind": "ioc:code_pattern",
    "version": "2.6.9.1",
    "hit_count": 2,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 657,
        "snippet": "$version = $this->wpos_get_plugin_version_by_file($matching_product['file']);"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Patternwpos_process_monthly_data
Kindioc:code_pattern
Version2.6.9.1
Hit count3
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
545
Snippet
$this->wpos_process_monthly_data( $this->analytics_slugs );
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "wpos_process_monthly_data",
    "kind": "ioc:code_pattern",
    "version": "2.6.9.1",
    "hit_count": 3,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 545,
        "snippet": "$this->wpos_process_monthly_data( $this->analytics_slugs );"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Patternhttps://analytics.essentialplugin.com
Kindioc:url
Version2.6.9.1
Hit count5
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
17
Snippet
public $analytics_endpoint = 'https://analytics.essentialplugin.com';
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "https://analytics.essentialplugin.com",
    "kind": "ioc:url",
    "version": "2.6.9.1",
    "hit_count": 5,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 17,
        "snippet": "public $analytics_endpoint\t= 'https://analytics.essentialplugin.com';"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Pattern$analytics_endpoint
Kindioc:code_pattern
Version2.6.9.1
Hit count1
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
17
Snippet
public $analytics_endpoint = 'https://analytics.essentialplugin.com';
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "$analytics_endpoint",
    "kind": "ioc:code_pattern",
    "version": "2.6.9.1",
    "hit_count": 1,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 17,
        "snippet": "public $analytics_endpoint\t= 'https://analytics.essentialplugin.com';"
    },
    "explanation": null
}
Critical code_pattern Resolved · audit:malicious 2026-04-27 11:03:09 (5d ago)
Slugcountdown-timer-ultimate
Patternwpos_monthly_cron_hook
Kindioc:code_pattern
Version2.6.9.1
Hit count4
First hit
File
wpos-analytics/includes/class-anylc-admin.php
Line
69
Snippet
add_action( 'wpos_monthly_cron_hook', array($this, 'wpos_monthly_cron_hook_fn') );
Explanation
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "pattern": "wpos_monthly_cron_hook",
    "kind": "ioc:code_pattern",
    "version": "2.6.9.1",
    "hit_count": 4,
    "first_hit": {
        "file": "wpos-analytics/includes/class-anylc-admin.php",
        "line": 69,
        "snippet": "add_action( 'wpos_monthly_cron_hook', array($this, 'wpos_monthly_cron_hook_fn') );"
    },
    "explanation": null
}
Critical new_committer_young_account Resolved · superseded_by_audit 2026-04-22 02:15:53 (10d ago)
Slugcountdown-timer-ultimate
Committeressentialplugin
Display nameessentialplugin
Member since2025-05-12
First commit at2025-08-08 17:09:06
Account age at first commit88
Commit count4
Active installs20,000
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "committer": "essentialplugin",
    "display_name": "essentialplugin",
    "member_since": "2025-05-12",
    "first_commit_at": "2025-08-08 17:09:06",
    "account_age_at_first_commit": 88,
    "commit_count": 4,
    "active_installs": 20000
}
Critical new_committer_young_account Resolved · audit:malicious 2026-04-22 00:51:39 (10d ago)
Slugcountdown-timer-ultimate
Committeressentialplugin
Display nameessentialplugin
Member since2025-05-12
First commit at2025-08-08 17:09:06
Account age at first commit88
Commit count4
Active installs20,000
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "committer": "essentialplugin",
    "display_name": "essentialplugin",
    "member_since": "2025-05-12",
    "first_commit_at": "2025-08-08 17:09:06",
    "account_age_at_first_commit": 88,
    "commit_count": 4,
    "active_installs": 20000
}
Critical new_committer_young_account Resolved · deduped 2026-04-21 23:49:17 (10d ago)
Slugcountdown-timer-ultimate
Committeressentialplugin
Display nameessentialplugin
Member since2025-05-12
First commit at2025-08-08 17:09:06
Account age at first commit88
Commit count4
Active installs20,000
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "committer": "essentialplugin",
    "display_name": "essentialplugin",
    "member_since": "2025-05-12",
    "first_commit_at": "2025-08-08 17:09:06",
    "account_age_at_first_commit": 88,
    "commit_count": 4,
    "active_installs": 20000
}
Critical new_committer_young_account Resolved · deduped 2026-04-21 18:24:41 (10d ago)
Slugcountdown-timer-ultimate
Committeressentialplugin
Display nameEssential Plugin
Member since2025-05-12
First commit at2025-08-08 17:09:06
Account age at first commit88
Commit count4
Active installs20,000
View raw JSON
{
    "slug": "countdown-timer-ultimate",
    "committer": "essentialplugin",
    "display_name": "Essential Plugin",
    "member_since": "2025-05-12",
    "first_commit_at": "2025-08-08 17:09:06",
    "account_age_at_first_commit": 88,
    "commit_count": 4,
    "active_installs": 20000
}

SVN committers (5)

Accounts with actual commit access to countdown-timer-ultimate on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
wponlinesupport 2015-09-02 57 2018-12-06 · r1986624 2025-05-16 · r3294619
anoopranawat 2013-06-24 43 2016-10-01 · r1506371 2022-01-13 · r2656958
essentialplugin Young account 2025-05-12 4 2025-08-08 · r3341771 2026-02-19 · r3465313
Francisco Torres 2012-02-08 1 2026-04-07 · r3501130 2026-04-07 · r3501130
plugin-master 2007-03-09 1 2016-10-01 · r1506222 2016-10-01 · r1506222

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
essentialplugin 2025-05-12 4 commits Active

Versions (16 most recent)

Version Released Download
2.6.9.1 2026-04-07 · 24d ago
2.6.9 2026-02-19 · 2mo ago
2.6.8 2025-11-12 · 5mo ago
2.6.7 2025-08-08 · 8mo ago
2.6.6 2025-05-16 · 11mo ago
2.6.5 2025-05-14 · 11mo ago
2.6.4 2025-01-11 · 1y ago
2.6.3 2025-01-11 · 1y ago
2.6.2 2024-11-05 · 1y ago
2.6.1 2024-07-30 · 1y ago
2.1 2023-02-24 · 3y ago
1.4 2021-05-14 · 4y ago
1.2.5 2020-10-29 · 5y ago
1.1.4 2018-08-22 · 7y ago
1.1.2 2017-07-20 · 8y ago
1.0.0 2016-10-03 · 9y ago