Formidable PRO2PDF

formidablepro-2-pdf · by alexandre67fr · wordpress.org ↗ · SVN ↗

Active installs: 1k+
Current version: 3.23
Added: 2015-04-30
Last updated: 2025-09-08 (7mo ago)
First seen by beacon: 11d ago
Total downloads: 96,783

Alerts (0)

No open alerts.

Show 1 resolved alert

Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:31 (2d ago)

Slug	formidablepro-2-pdf
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`3.23`
Hit count	1
First hit	File `fpropdf.php` Line 604 Snippet L591: $request = wp_remote_get($url); → L604: $files = @unserialize($row['value']);
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "formidablepro-2-pdf",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "3.23",
    "hit_count": 1,
    "first_hit": {
        "file": "fpropdf.php",
        "line": 604,
        "snippet": "L591: $request = wp_remote_get($url);  \u2192  L604: $files = @unserialize($row['value']);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (5)

Accounts with actual commit access to formidablepro-2-pdf on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
E2Pdf Young account	2017-01-31	121	2017-01-31 · r1586004	2025-11-28 · r3404833
alexandre67fr Young account	2015-04-12	118	2015-04-30 · r1149920	2016-05-03 · r1409357
aizatmustafin Young account	2016-05-02	36	2016-05-05 · r1411269	2017-01-09 · r1570927
webethics Young account	2017-01-17	7	2017-01-20 · r1578473	2017-02-16 · r1597295
plugin-master	2007-03-09	1	2015-04-29 · r1149516	2015-04-29 · r1149516

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
alexandre67fr	2015-04-12	118 commits	Active
rasmarcus	2015-05-01	—	Active

Versions (93 most recent)

Version	Released	Download
3.23	2025-09-08 · 7mo ago	zip
3.22	2025-07-14 · 9mo ago	zip
3.21	2025-06-03 · 11mo ago	zip
3.20	2025-05-31 · 11mo ago	zip
3.19	2025-05-27 · 11mo ago	zip
3.18	2025-05-18 · 11mo ago	zip
3.09	2022-12-21 · 3y ago	zip
3.08	2022-11-14 · 3y ago	zip
2.65	2017-05-14 · 8y ago	zip
2.34	2016-09-06 · 9y ago	zip
2.30	2016-06-06 · 9y ago	zip
2.29	2016-05-20 · 9y ago	zip
2.28	2016-05-14 · 9y ago	zip
2.27	2016-05-05 · 9y ago	zip
2.26	2016-04-20 · 10y ago	zip
2.25	2016-04-20 · 10y ago	zip
2.24	2016-04-13 · 10y ago	zip
2.23	2016-04-05 · 10y ago	zip
2.22	2016-03-31 · 10y ago	zip
2.21	2016-03-22 · 10y ago	zip
2.20	2016-03-02 · 10y ago	zip
2.19	2016-02-29 · 10y ago	zip
2.18	2016-02-26 · 10y ago	zip
2.17	2016-02-25 · 10y ago	zip
2.16	2016-02-24 · 10y ago	zip
2.15	2016-02-24 · 10y ago	zip
2.14	2016-02-23 · 10y ago	zip
2.13	2016-02-16 · 10y ago	zip
2.12	2016-02-12 · 10y ago	zip
2.11	2016-02-09 · 10y ago	zip
2.10	2016-02-09 · 10y ago	zip
2.9	2016-02-05 · 10y ago	zip
2.8	2016-02-04 · 10y ago	zip
2.7	2016-01-31 · 10y ago	zip
2.6	2016-01-31 · 10y ago	zip
2.5	2016-01-22 · 10y ago	zip
2.4	2016-01-22 · 10y ago	zip
2.0	2015-12-26 · 10y ago	zip
1.7.39	2015-12-17 · 10y ago	zip
1.7.38	2015-12-14 · 10y ago	zip
1.7.37	2015-12-09 · 10y ago	zip
1.7.36	2015-12-09 · 10y ago	zip
1.7.35	2015-12-03 · 10y ago	zip
1.7.34	2015-12-02 · 10y ago	zip
1.7.32	2015-11-30 · 10y ago	zip
1.7.31	2015-11-26 · 10y ago	zip
1.7.30	2015-11-25 · 10y ago	zip
1.7.29	2015-11-02 · 10y ago	zip
1.7.28	2015-11-01 · 10y ago	zip
1.7.27	2015-10-29 · 10y ago	zip
1.7.26	2015-10-28 · 10y ago	zip
1.7.25	2015-10-28 · 10y ago	zip
1.7.24	2015-10-18 · 10y ago	zip
1.7.23	2015-10-18 · 10y ago	zip
1.7.22	2015-10-14 · 10y ago	zip
1.7.21	2015-10-13 · 10y ago	zip
1.7.20	2015-10-08 · 10y ago	zip
1.7.19	2015-10-07 · 10y ago	zip
1.7.18	2015-10-06 · 10y ago	zip
1.7.17	2015-10-01 · 10y ago	zip
1.7.16	2015-10-01 · 10y ago	zip
1.7.15	2015-09-22 · 10y ago	zip
1.7.14	2015-09-21 · 10y ago	zip
1.7.13	2015-09-21 · 10y ago	zip
1.7.12	2015-09-17 · 10y ago	zip
1.7.11	2015-09-16 · 10y ago	zip
1.7.10	2015-09-11 · 10y ago	zip
1.7.9	2015-09-09 · 10y ago	zip
1.7.8	2015-09-09 · 10y ago	zip
1.7.7	2015-09-03 · 10y ago	zip
1.7.6	2015-09-02 · 10y ago	zip
1.7.5	2015-08-31 · 10y ago	zip
1.7.4	2015-08-28 · 10y ago	zip
1.7.3	2015-08-28 · 10y ago	zip
1.7.2	2015-08-27 · 10y ago	zip
1.7.1	2015-08-24 · 10y ago	zip
1.7.0	2015-08-22 · 10y ago	zip
1.6.0.17	2015-08-10 · 10y ago	zip
1.6.0.16	2015-08-10 · 10y ago	zip
1.6.0.15	2015-07-20 · 10y ago	zip
1.6.0.14	2015-07-16 · 10y ago	zip
1.6.0.13	2015-07-10 · 10y ago	zip
1.6.0.12	2015-06-30 · 10y ago	zip
1.6.0.11	2015-06-24 · 10y ago	zip
1.6.0.10	2015-06-11 · 10y ago	zip
1.6.0.9	2015-06-08 · 10y ago	zip
1.6.0.8	2015-06-08 · 10y ago	zip
1.6.0.7	2015-05-27 · 10y ago	zip
1.6.0.6	2015-05-26 · 10y ago	zip
1.6.0.4	2015-05-13 · 10y ago	zip
1.6	2015-05-13 · 10y ago	zip
1.6.0.2	2015-05-13 · 10y ago	zip
1.6.0.3	2015-05-13 · 10y ago	zip