WP Beacon

Publitio

publitio · by publitio · wordpress.org ↗ · SVN ↗
Active installs
400
Current version
2.2.6
Added
2018-09-12
Last updated
2026-04-23 (1mo ago)
First seen by beacon
1mo ago
Total downloads
22,273

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · vendor_self_api_publitio 2026-05-08 09:56:54 (1mo ago)
Slugpublitio
Patternunserialize_after_remote_call
Kindbuiltin
Version2.2.6
Hit count1
First hit
File
includes/publitio_api.php
Line
125
Snippet
L114: $response = curl_exec($curl); → L125: $unserialized_response = @unserialize($response);
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "publitio",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.2.6",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/publitio_api.php",
        "line": 125,
        "snippet": "L114: $response = curl_exec($curl);  \u2192  L125: $unserialized_response = @unserialize($response);"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to publitio on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
publitio Young account 2018-09-06 40 2018-09-12 · r1939841 2026-04-23 · r3513842
plugin-master 2007-03-09 1 2018-09-12 · r1939639 2018-09-12 · r1939639

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
publitio 2018-09-06 40 commits Active

Versions (2 most recent)

Version Released Download
2.2.6 2026-04-23 · 1mo ago zip
1.0 2019-02-28 · 7y ago zip