WP Beacon

FV Player 8

fv-player · by foliovision · wordpress.org ↗ · SVN ↗
Active installs
1k+
Current version
8.1.4
Added
2024-08-06
Last updated
2026-03-09 (1mo ago)
First seen by beacon
11d ago
Total downloads
16,264

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:31 (2d ago)
Slugfv-player
Patternunserialize_after_remote_call
Kindbuiltin
Version8.1.4
Hit count1
First hit
File
includes/fp-api-private.php
Line
249
Snippet
L239: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L249: $response = @unserialize( preg_replace( '~^/\*[\s\S]*?\*/\s+~', '', $raw_respons
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "fv-player",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "8.1.4",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/fp-api-private.php",
        "line": 249,
        "snippet": "L239: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L249: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to fv-player on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
FolioVision 2007-04-18 57 2024-08-06 · r3131463 2026-03-09 · r3478297
plugin-master 2007-03-09 1 2024-03-02 · r3044099 2024-03-02 · r3044099

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
FolioVision 2007-04-18 57 commits Active

Versions (8 most recent)

Version Released Download
8.1.3 2026-02-09 · 2mo ago zip
8.1 2025-12-05 · 4mo ago zip
8.0.27 2025-10-22 · 6mo ago zip
8.0.25 2025-09-17 · 7mo ago zip
8.0.21 2025-07-30 · 9mo ago zip
8.0.20 2025-07-11 · 9mo ago zip
8.0.19 2025-06-19 · 10mo ago zip
8.0.18 2025-03-05 · 1y ago zip