WP Beacon

Microthemer Lite – Visual Editor to Customize CSS

microthemer · by bastywebb · wordpress.org ↗ · SVN ↗
Active installs
10k+
Current version
7.5.3.9
Added
2013-07-06
Last updated
2026-04-15 (17d ago)
First seen by beacon
11d ago
Total downloads
2,630,700

Alerts (0)

No open alerts.

Show 1 resolved alert
Medium code_pattern Resolved · fp:vendor_premium_update_channel 2026-04-30 20:41:11 (2d ago)
Slugmicrothemer
Patternpuc_update_hijack
Kindbuiltin
Version7.5.3.9
Hit count1
First hit
File
src/Content/PluginUpdater.php
Line
38
Snippet
$this->updateChecker = \YahnisElsts\PluginUpdateChecker\v5p6\PucFactory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "microthemer",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "7.5.3.9",
    "hit_count": 1,
    "first_hit": {
        "file": "src/Content/PluginUpdater.php",
        "line": 38,
        "snippet": "$this->updateChecker = \\YahnisElsts\\PluginUpdateChecker\\v5p6\\PucFactory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

SVN committers (2)

Accounts with actual commit access to microthemer on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Themeover 2010-11-24 473 2013-07-06 · r737040 2026-04-15 · r3507453
plugin-master 2007-03-09 1 2013-07-05 · r736749 2013-07-05 · r736749

Readme contributors (3)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Themeover 2010-11-24 473 commits Active
Ahrale 2012-07-09 Active
Jose Luis Cruz 2014-06-16 Active

Versions (1 most recent)

Version Released Download
5.0.0.2 2017-05-14 · 8y ago zip