WP Beacon

Skrill – WooCommerce

official-skrill-woocommerce · by stanislavachannel · wordpress.org ↗ · SVN ↗
Active installs
400
Current version
1.0.75
Added
2017-02-13
Last updated
2026-05-19 (27d ago)
First seen by beacon
1mo ago
Total downloads
66,278

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · legit_vendor_skrill_official 2026-05-08 09:56:55 (1mo ago)
Slugofficial-skrill-woocommerce
Patternhardcoded_ip_url
Kindbuiltin
Version1.0.73
Hit count1
First hit
File
includes/core/class-skrill-payment.php
Line
49
Snippet
protected static $skrill_version_controll_api_url = 'http://81.169.251.23:9097/sendVersion';
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "official-skrill-woocommerce",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "1.0.73",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/core/class-skrill-payment.php",
        "line": 49,
        "snippet": "protected static $skrill_version_controll_api_url = 'http://81.169.251.23:9097/sendVersion';"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

SVN committers (2)

Accounts with actual commit access to official-skrill-woocommerce on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Skrill_Team Young account 2016-11-21 5 2017-02-13 · r1594853 2026-05-19 · r3537280
plugin-master 2007-03-09 1 2017-02-11 · r1593610 2017-02-11 · r1593610

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Skrill_Team 2016-11-21 5 commits Active
skrill 2008-04-18 Active