WP Beacon
High update_hijack_shape
Resolved · audit:suspicious
2026-05-02 01:26:18 (21d ago)
| Slug | js-support-ticket |
|---|---|
| Shape | eval_after_remote_call |
| File | modules/proinstaller/controller.php |
| Line | 69 |
| Snippet | $response = curl_exec($ch); ... eval($response); |
| Remote url | https://setup.joomsky.com/jsticketwp/pro/index.php |
| Remote url obfuscation | base64-encoded JCONSTINST constant in includes/includer.php:71 |
| Ssl verify | no |
| Vendor | JoomSky / rabilal |
| Active installs | 8,000 |
| Current response payload | echo Please download new installer from www.joomsky.com |
| Audit rationale | Vendor-shipped permanent eval(remote-PHP) primitive: SSL verification disabled, URL base64-encoded in source. Server response is benign today but the architecture is a fully-armed update-hijack vector affecting 8000 installs. |
| Discovered by | wp beacon hunt-updaters (eval_after_remote_call pattern) |
View raw JSON
{
"slug": "js-support-ticket",
"shape": "eval_after_remote_call",
"file": "modules/proinstaller/controller.php",
"line": 69,
"snippet": "$response = curl_exec($ch); ... eval($response);",
"remote_url": "https://setup.joomsky.com/jsticketwp/pro/index.php",
"remote_url_obfuscation": "base64-encoded JCONSTINST constant in includes/includer.php:71",
"ssl_verify": false,
"vendor": "JoomSky / rabilal",
"active_installs": 8000,
"current_response_payload": "echo Please download new installer from www.joomsky.com",
"audit_rationale": "Vendor-shipped permanent eval(remote-PHP) primitive: SSL verification disabled, URL base64-encoded in source. Server response is benign today but the architecture is a fully-armed update-hijack vector affecting 8000 installs.",
"discovered_by": "wp beacon hunt-updaters (eval_after_remote_call pattern)"
}