WP Beacon

Opal Woo Custom Product Variation

opal-woo-custom-product-variation · by wpopal · wordpress.org ↗ · SVN ↗
Active installs
400
Current version
1.3.5
Added
2024-05-02
Last updated
2026-04-29 (1mo ago)
First seen by beacon
1mo ago
Total downloads
7,928

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · vendor_self_update_wpopal 2026-05-08 09:56:54 (1mo ago)
Slugopal-woo-custom-product-variation
Patternpuc_update_hijack
Kindbuiltin
Version1.3.5
Hit count1
First hit
File
opal-woo-custom-product-variation.php
Line
65
Snippet
Puc_v4_Factory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapehijack
Urlhttp://source.wpopal.com/plugins/opal/opal-woo-custom-product-variation.json
Url hostsource.wpopal.com
Slug argopal-woo-custom-product-variation
View raw JSON
{
    "slug": "opal-woo-custom-product-variation",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.3.5",
    "hit_count": 1,
    "first_hit": {
        "file": "opal-woo-custom-product-variation.php",
        "line": 65,
        "snippet": "Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "hijack",
    "url": "http://source.wpopal.com/plugins/opal/opal-woo-custom-product-variation.json",
    "url_host": "source.wpopal.com",
    "slug_arg": "opal-woo-custom-product-variation"
}

SVN committers (3)

Accounts with actual commit access to opal-woo-custom-product-variation on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
wpopal 2015-10-29 32 2024-05-29 · r3094209 2026-04-29 · r3518300
GutenGeek 2020-04-08 9 2024-05-02 · r3080239 2024-05-17 · r3088153
plugin-master 2007-03-09 1 2024-04-27 · r3077936 2024-04-27 · r3077936

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
wpopal 2015-10-29 32 commits Active
KhanhHV 2024-03-26 Active

Versions (12 most recent)

Version Released Download
1.3.4 2026-04-24 · 1mo ago zip
1.3.2 2026-03-20 · 2mo ago zip
1.3.1 2026-01-07 · 5mo ago zip
1.3.0 2025-12-05 · 6mo ago zip
1.2.4 2025-10-06 · 8mo ago zip
1.2.3 2025-07-17 · 11mo ago zip
1.2.1 2025-05-02 · 1y ago zip
1.2.0 2025-04-16 · 1y ago zip
1.1.6 2025-03-04 · 1y ago zip
1.1.5 2024-11-14 · 1y ago zip
1.1.4 2024-10-11 · 1y ago zip
1.1.3 2024-07-31 · 1y ago zip