WP Beacon

Email OTP Authenticator – Login, Register, 2FA & Session Lock

email-otp-authenticator · by ilvchandan · wordpress.org ↗ · SVN ↗
Active installs
100
Current version
6.4.4
Added
2023-06-08
Last updated
2026-06-05 (7d ago)
First seen by beacon
1mo ago
Total downloads
9,877

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · commented_out_unserialize_lowercase_wpautoupdate_r 2026-05-08 11:25:13 (1mo ago)
Slugemail-otp-authenticator
Patternunserialize_after_remote_call
Kindbuiltin
Version6.4.1
Hit count4
First hit
File
lib_old/wp_autoupdate.php
Line
259
Snippet
L254: $request = wp_remote_post($this->update_path, $params ); → L259: //return @unserialize( $request['body'] );
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "email-otp-authenticator",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "6.4.1",
    "hit_count": 4,
    "first_hit": {
        "file": "lib_old/wp_autoupdate.php",
        "line": 259,
        "snippet": "L254: $request = wp_remote_post($this->update_path, $params );  \u2192  L259: //return @unserialize( $request['body'] );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to email-otp-authenticator on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
cs7.in 2017-08-30 6 2023-06-08 · r2923217 2026-06-05 · r3562219
plugin-master 2007-03-09 1 2023-06-07 · r2923098 2023-06-07 · r2923098

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
cs7.in 2017-08-30 6 commits Active

Versions (29 most recent)

Version Released Download
6.4.4 2026-06-05 · 7d ago zip
6.4.1 2026-05-29 · 14d ago zip
6.3.5 2026-03-27 · 2mo ago zip
6.3.4 2025-11-11 · 7mo ago zip
6.3.3 2025-10-24 · 7mo ago zip
6.3.2 2025-10-13 · 8mo ago zip
6.2.4 2025-08-01 · 10mo ago zip
6.2.3 2025-07-18 · 10mo ago zip
6.2.0 2025-07-12 · 11mo ago zip
6.1.1 2025-06-29 · 11mo ago zip
6.0.1 2025-05-23 · 1y ago zip
6.0.0 2025-05-17 · 1y ago zip
5.3.5 2025-04-11 · 1y ago zip
5.2.6 2025-03-22 · 1y ago zip
5.2.5 2025-01-18 · 1y ago zip
5.2.1 2025-01-16 · 1y ago zip
5.2.0 2025-01-15 · 1y ago zip
5.1.2 2024-12-22 · 1y ago zip
5.1.1 2024-12-20 · 1y ago zip
5.0.1 2024-12-03 · 1y ago zip
4.8.2 2024-11-15 · 1y ago zip
4.7.5 2024-11-08 · 1y ago zip
4.7.1 2024-11-07 · 1y ago zip
4.6 2024-10-05 · 1y ago zip
4.2 2024-08-19 · 1y ago zip
2.8 2024-02-09 · 2y ago zip
2.7 2023-12-06 · 2y ago zip
2.6 2023-11-16 · 2y ago zip
2.4 2023-07-20 · 2y ago zip