Kirki – Freeform Website Builder & Customizer

{
    "slug": "kirki",
    "committer_slug": "deployer",
    "committer_display_name": "deployer.seravo.com",
    "committer_employer": null,
    "committer_member_since": "2015-08-08",
    "committer_first_commit": "2016-03-20 19:52:01",
    "committer_commit_count": 2,
    "plugin_listed_author": "themeum",
    "earliest_plugin_commit": "2014-05-27 21:36:58",
    "plugin_age_at_join_days": 662,
    "committer_age_at_join_days": 225,
    "active_installs": 500000
}

{
    "slug": "kirki",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "5.2.3",
    "hit_count": 3,
    "first_hit": {
        "file": "customizer/packages/controls/tabs/edd/EDD_SL_Plugin_Updater.php",
        "line": 545,
        "snippet": "L527: $request = wp_remote_post(  \u2192  L545: $request->sections = maybe_unserialize( $request->sections );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak."
}

{
    "slug": "kirki",
    "previous_version": "5.2.3",
    "current_version": "5.2.3",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "customizer/packages/controls/tabs/edd/EDD_SL_Plugin_Updater.php",
            "line": 545,
            "snippet": "L527: $request = wp_remote_post(  \u2192  L545: $request->sections = maybe_unserialize( $request->sections );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "customizer/packages/controls/tabs/edd/EDD_SL_Plugin_Updater.php",
            "line": 551,
            "snippet": "L542: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L551: $request->banners = maybe_unserialize( $request->banners );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "customizer/packages/controls/tabs/edd/EDD_SL_Plugin_Updater.php",
            "line": 555,
            "snippet": "L542: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L555: $request->icons = maybe_unserialize( $request->icons );",
            "confidence": "high"
        }
    ],
    "new_finding_count": 3
}