Polylang

polylang · by chouby · wordpress.org ↗ · SVN ↗

Active installs: 800k+
Current version: 3.8.3
Added: 2011-09-22
Last updated: 2026-04-27 (4d ago)
First seen by beacon: 10d ago
Total downloads: 26,863,664

Alerts (0)

No open alerts.

Show 2 resolved alerts

Critical code_pattern Resolved · no_longer_matches 2026-04-24 15:56:44 (7d ago)

Slug	polylang
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`3.8.2`
Hit count	3
First hit	File `src/install/plugin-updater.php` Line 635 Snippet L617: $request = wp_remote_post( → L635: $request->sections = maybe_unserialize( $request->sections );
Explanation	a remote HTTP fetch (`wp_remote_*`/`curl_exec`) is followed by `unserialize`/`maybe_unserialize` within the same file — classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. Legit plugins essentially never do this.

View raw JSON

{
    "slug": "polylang",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "3.8.2",
    "hit_count": 3,
    "first_hit": {
        "file": "src/install/plugin-updater.php",
        "line": 635,
        "snippet": "L617: $request = wp_remote_post(  \u2192  L635: $request->sections = maybe_unserialize( $request->sections );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`) is followed by `unserialize`/`maybe_unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. Legit plugins essentially never do this."
}

Critical code_scan_delta Resolved · fp_edd_updater_library 2026-04-24 15:44:12 (7d ago)

Slug polylang

Previous version 3.8.2

Current version 3.8.2

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`src/install/plugin-updater.php`	635	L617: $request = wp_remote_post( → L635: $request->sections = maybe_unserialize( $request->sections );	`high`
`unserialize_after_remote_call`	`builtin`	`src/install/plugin-updater.php`	641	L632: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L641: $request->banners = maybe_unserialize( $request->banners );	`high`
`unserialize_after_remote_call`	`builtin`	`src/install/plugin-updater.php`	645	L632: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L645: $request->icons = maybe_unserialize( $request->icons );	`high`

New finding count 3

View raw JSON

{
    "slug": "polylang",
    "previous_version": "3.8.2",
    "current_version": "3.8.2",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "src/install/plugin-updater.php",
            "line": 635,
            "snippet": "L617: $request = wp_remote_post(  \u2192  L635: $request->sections = maybe_unserialize( $request->sections );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "src/install/plugin-updater.php",
            "line": 641,
            "snippet": "L632: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L641: $request->banners = maybe_unserialize( $request->banners );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "src/install/plugin-updater.php",
            "line": 645,
            "snippet": "L632: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L645: $request->icons = maybe_unserialize( $request->icons );",
            "confidence": "high"
        }
    ],
    "new_finding_count": 3
}

SVN committers (1)

Accounts with actual commit access to polylang on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
Chouby	2011-09-21	1	2013-05-22 · r716785	2026-04-27 · r3516542

Readme contributors (7)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
Chouby	2011-09-21	1 commits	Active
Emmanuel Hesry	2012-02-25	—	Active
Grégory Viguier	2010-10-01	—	Active
hugod	2021-06-25	—	Active
Marianne	2020-03-09	—	Active
Sebastien SERRE	2013-06-15	—	Active
Sylvain Schellenberger	2019-03-10	—	Active

Versions (100 most recent)

Version	Released	Download
3.8.3	2026-04-27 · 4d ago	zip
3.8.2	2026-04-07 · 25d ago	zip
3.8.1	2026-03-19 · 1mo ago	zip
3.8	2026-03-17 · 1mo ago	zip
3.7.8	2026-02-23 · 2mo ago	zip
3.7.7	2026-01-26 · 3mo ago	zip
3.7.6	2026-01-06 · 3mo ago	zip
3.7.5	2025-11-10 · 5mo ago	zip
3.7.4	2025-10-28 · 6mo ago	zip
3.7.3	2025-06-16 · 10mo ago	zip
3.7.2	2025-05-27 · 11mo ago	zip
3.7.1	2025-05-05 · 12mo ago	zip
3.7	2025-04-22 · 1y ago	zip
3.6.7	2025-03-11 · 1y ago	zip
3.6.6	2025-01-13 · 1y ago	zip
3.6.5	2024-11-05 · 1y ago	zip
3.6.4	2024-07-29 · 1y ago	zip
3.6.3	2024-06-18 · 1y ago	zip
3.6.2	2024-06-03 · 1y ago	zip
3.6.1	2024-04-10 · 2y ago	zip
3.6	2024-03-19 · 2y ago	zip
3.5.4	2024-02-06 · 2y ago	zip
3.5.3	2023-12-11 · 2y ago	zip
3.5.2	2023-10-25 · 2y ago	zip
3.5.1	2023-10-17 · 2y ago	zip
3.5	2023-10-09 · 2y ago	zip
3.4.5	2023-08-07 · 2y ago	zip
3.4.4	2023-07-18 · 2y ago	zip
3.4.3	2023-06-13 · 2y ago	zip
3.4.2	2023-05-30 · 2y ago	zip
3.4.1	2023-05-25 · 2y ago	zip
3.4	2023-05-23 · 2y ago	zip
3.3.3	2023-04-11 · 3y ago	zip
3.3.2	2023-03-06 · 3y ago	zip
3.3.1	2023-01-09 · 3y ago	zip
3.3	2022-11-28 · 3y ago	zip
3.2.8	2022-10-17 · 3y ago	zip
3.2.7	2022-09-20 · 3y ago	zip
3.2.6	2022-09-06 · 3y ago	zip
3.2.5	2022-06-28 · 3y ago	zip
3.2.4	2022-06-07 · 3y ago	zip
3.2.3	2022-05-17 · 3y ago	zip
3.2.2	2022-04-25 · 4y ago	zip
3.2.1	2022-04-14 · 4y ago	zip
3.2	2022-04-12 · 4y ago	zip
3.1.4	2022-01-31 · 4y ago	zip
3.1.3	2021-12-14 · 4y ago	zip
3.1.2	2021-10-11 · 4y ago	zip
3.1.1	2021-08-16 · 4y ago	zip
3.1	2021-07-27 · 4y ago	zip
3.0.6	2021-06-22 · 4y ago	zip
3.0.5	2021-06-08 · 4y ago	zip
3.0.4	2021-04-27 · 5y ago	zip
3.0.3	2021-03-23 · 5y ago	zip
3.0.2	2021-03-16 · 5y ago	zip
3.0.1	2021-03-10 · 5y ago	zip
3.0	2021-03-08 · 5y ago	zip
2.9.2	2021-02-02 · 5y ago	zip
2.9.1	2020-12-15 · 5y ago	zip
2.9	2020-12-07 · 5y ago	zip
2.8.4	2020-11-04 · 5y ago	zip
2.8.3	2020-10-13 · 5y ago	zip
2.8.2	2020-09-08 · 5y ago	zip
2.8.1	2020-08-25 · 5y ago	zip
2.8	2020-08-17 · 5y ago	zip
2.7.4	2020-06-29 · 5y ago	zip
2.7.3	2020-05-26 · 5y ago	zip
2.7.2	2020-04-27 · 6y ago	zip
2.7.1	2020-04-09 · 6y ago	zip
2.7.0.1	2020-04-06 · 6y ago	zip
2.7	2020-04-06 · 6y ago	zip
2.6.10	2020-02-19 · 6y ago	zip
2.6.9	2020-01-15 · 6y ago	zip
2.6.8	2019-12-11 · 6y ago	zip
2.6.7	2019-11-14 · 6y ago	zip
2.6.6	2019-11-12 · 6y ago	zip
2.6.5	2019-10-09 · 6y ago	zip
2.6.4	2019-08-27 · 6y ago	zip
2.6.3	2019-08-06 · 6y ago	zip
2.6.2	2019-07-16 · 6y ago	zip
2.6.1	2019-07-03 · 6y ago	zip
2.6	2019-06-26 · 6y ago	zip
2.5.4	2019-05-28 · 6y ago	zip
2.5.3	2019-04-16 · 7y ago	zip
2.5.2	2019-02-20 · 7y ago	zip
2.5.1	2019-01-16 · 7y ago	zip
2.5	2018-12-06 · 7y ago	zip
2.4.1	2018-11-27 · 7y ago	zip
2.4	2018-11-12 · 7y ago	zip
2.3.11	2018-10-03 · 7y ago	zip
2.3.10	2018-08-16 · 7y ago	zip
2.3.9	2018-08-14 · 7y ago	zip
2.3.8	2018-07-16 · 7y ago	zip
2.3.7	2018-06-07 · 7y ago	zip
2.3.6	2018-05-17 · 7y ago	zip
2.3.5	2018-05-08 · 7y ago	zip
2.3.4	2018-03-27 · 8y ago	zip
2.3.3	2018-03-15 · 8y ago	zip
2.3.2	2018-03-05 · 8y ago	zip
2.3.1	2018-02-15 · 8y ago	zip