WP Beacon

Max Mega Menu

megamenu · by megamenu · wordpress.org ↗ · SVN ↗
Active installs
300k+
Current version
3.10.5
Added
2014-07-03
Last updated
2026-06-01 (10d ago)
First seen by beacon
1mo ago
Total downloads
12,440,682

Alerts (0)

No open alerts.

Show 3 resolved alerts
High compromised_committer_burst Resolved · benign_deploy_burst_clean_scan 2026-05-28 01:56:09 (15d ago)
Slugmegamenu
Author slugmegamenu
Burst start2026-05-26 09:48:31
Burst end2026-05-26 11:00:09
Burst commits12
Burst window minutes90
Tenure days594
Distinct messages11
Avg message length29
Top messageUpdate version to 3.10
Top message count2
Prt revert
ExplanationEstablished author committed 12 revisions inside a 90-minute window with low-entropy commit messages. Pattern matches the June 2024 wp.org credential-stuffing wave shape; bumped to critical when followed by a wp.org Plugin Review Team revert within 7 days.
View raw JSON
{
    "slug": "megamenu",
    "author_slug": "megamenu",
    "burst_start": "2026-05-26 09:48:31",
    "burst_end": "2026-05-26 11:00:09",
    "burst_commits": 12,
    "burst_window_minutes": 90,
    "tenure_days": 594,
    "distinct_messages": 11,
    "avg_message_length": 29.3,
    "top_message": "Update version to 3.10",
    "top_message_count": 2,
    "prt_revert": null,
    "explanation": "Established author committed 12 revisions inside a 90-minute window with low-entropy commit messages. Pattern matches the June 2024 wp.org credential-stuffing wave shape; bumped to critical when followed by a wp.org Plugin Review Team revert within 7 days."
}
Critical code_pattern Resolved · no_longer_matches 2026-04-24 17:01:47 (1mo ago)
Slugmegamenu
Patternunserialize_after_remote_call
Kindbuiltin
Version3.8.1
Hit count2
First hit
File
classes/scss/1.11.1/src/Cache.php
Line
136
Snippet
L135: $c = file_get_contents($fileCache); → L136: $c = unserialize($c);
Explanationa remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak.
View raw JSON
{
    "slug": "megamenu",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "3.8.1",
    "hit_count": 2,
    "first_hit": {
        "file": "classes/scss/1.11.1/src/Cache.php",
        "line": 136,
        "snippet": "L135: $c = file_get_contents($fileCache);  \u2192  L136: $c = unserialize($c);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak."
}
Critical code_scan_delta Resolved · fp_vendored_library_local_cache 2026-04-24 16:19:18 (1mo ago)
Slugmegamenu
Previous version3.8.1
Current version3.8.1
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinclasses/scss/1.11.1/src/Cache.php136L135: $c = file_get_contents($fileCache); → L136: $c = unserialize($c);high
unserialize_after_remote_callbuiltinclasses/scss/0.0.12/scss.inc.php4,352L4352: $imports = unserialize(file_get_contents($icache)); → L4352: $imports = unserialize(file_get_contents($icache));high
New finding count2
View raw JSON
{
    "slug": "megamenu",
    "previous_version": "3.8.1",
    "current_version": "3.8.1",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "classes/scss/1.11.1/src/Cache.php",
            "line": 136,
            "snippet": "L135: $c = file_get_contents($fileCache);  \u2192  L136: $c = unserialize($c);",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "classes/scss/0.0.12/scss.inc.php",
            "line": 4352,
            "snippet": "L4352: $imports = unserialize(file_get_contents($icache));  \u2192  L4352: $imports = unserialize(file_get_contents($icache));",
            "confidence": "high"
        }
    ],
    "new_finding_count": 2
}

SVN committers (1)

Accounts with actual commit access to megamenu on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
megamenu 2014-06-19 8 2020-04-07 · r2278372 2026-06-02 · r3558248

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
megamenu 2014-06-19 8 commits Active

Versions (32 most recent)

Version Released Download
3.10.5 2026-06-01 · 10d ago zip
3.10.4 2026-05-27 · 15d ago
3.10.3 2026-05-26 · 16d ago zip
3.10.2 2026-05-26 · 16d ago zip
3.10.1 2026-05-26 · 16d ago zip
3.10 2026-05-26 · 16d ago zip
3.9.3 zip
3.9.2.1 2026-04-29 · 1mo ago zip
3.9.2 2026-04-29 · 1mo ago zip
3.9.1 2026-04-28 · 1mo ago zip
3.9 2026-04-28 · 1mo ago zip
3.8.1 2026-03-17 · 2mo ago zip
3.8 2026-03-16 · 2mo ago zip
3.7.3 2026-03-16 · 2mo ago zip
3.7.2 2026-03-16 · 2mo ago zip
3.7 2025-12-15 · 5mo ago zip
3.6.2 2025-12-10 · 6mo ago zip
3.6.1 2025-06-16 · 12mo ago zip
3.6 2025-06-16 · 12mo ago zip
3.5 2025-04-16 · 1y ago zip
3.4.1 2024-11-20 · 1y ago zip
3.4 2024-11-18 · 1y ago zip
3.3.2 2024-07-22 · 1y ago zip
3.3.1 2024-04-08 · 2y ago zip
3.3 2023-12-18 · 2y ago zip
3.2.4 2023-11-21 · 2y ago zip
3.2.3 2023-09-11 · 2y ago zip
3.2.2 2023-08-14 · 2y ago zip
3.2.1 2023-04-24 · 3y ago zip
3.2 2023-04-17 · 3y ago zip
3.1 2023-01-09 · 3y ago zip
3.0 2022-11-10 · 3y ago zip