WP Beacon

Operation Demo Importer – Demo Importer For WPoperation Themes

operation-demo-importer · by wpoperations · wordpress.org ↗ · SVN ↗
Active installs
1k+
Current version
1.2.0
Added
2018-08-30
Last updated
2024-07-09 (1y ago)
First seen by beacon
11d ago
Total downloads
89,578

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:31 (2d ago)
Slugoperation-demo-importer
Patternunserialize_after_remote_call
Kindbuiltin
Version1.2.0
Hit count1
First hit
File
classes/importers/class-settings-importer.php
Line
44
Snippet
L28: $contents = curl_exec($ch); → L44: $data = @unserialize( $raw );
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "operation-demo-importer",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.2.0",
    "hit_count": 1,
    "first_hit": {
        "file": "classes/importers/class-settings-importer.php",
        "line": 44,
        "snippet": "L28: $contents = curl_exec($ch);  \u2192  L44: $data = @unserialize( $raw );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to operation-demo-importer on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
wpoperations 2017-12-11 26 2018-08-30 · r1932872 2024-07-09 · r3115033
plugin-master 2007-03-09 1 2018-08-30 · r1932729 2018-08-30 · r1932729

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
wpoperations 2017-12-11 26 commits Active

Versions (14 most recent)

Version Released Download
1.2.0 2024-07-09 · 1y ago zip
1.1.8 2021-09-17 · 4y ago zip
1.1.7 2021-04-30 · 5y ago zip
1.1.6 2020-09-06 · 5y ago zip
1.1.5 2020-07-24 · 5y ago zip
1.1.4 2020-05-25 · 5y ago zip
1.1.3 2019-11-24 · 6y ago zip
1.1.1 2019-08-29 · 6y ago zip
1.1.2 2019-08-29 · 6y ago zip
1.1.0 2019-08-15 · 6y ago zip
1.0.9 2019-08-05 · 6y ago zip
1.0.7 2019-07-26 · 6y ago zip
1.0.8 2019-07-26 · 6y ago zip
1.0.5 2019-03-17 · 7y ago zip