RSFirewall!

rsfirewall · by rsjoomla · wordpress.org ↗ · SVN ↗
Active installs
4k+
Current version
1.1.48
Added
2019-07-09
Last updated
2026-06-29 (4d ago)
First seen by beacon
2mo ago
Total downloads
32,522

Statistics

2024-06-17 → 2026-07-01 · 745 days
Downloads today
407
7-day total 865
Week over week
▲ +732%
vs prior 7 days
30-day trend
flat
▲ +23% MoM
Abandonment
●○○○○
install base on one version
Downloads/day Linear trend
69652234817402024-062024-102025-022025-062025-102026-022026-07
40930720510202026-042026-042026-052026-052026-062026-06
40730520410202026-062026-062026-062026-062026-062026-06

Active versions

1.1
1.1 · 100.0%

Ratings

5★
5
4★
0
3★
0
2★
0
1★
0

Support: 0/0 resolved

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:30 (2mo ago)
Slugrsfirewall
Patternunserialize_after_remote_call
Kindbuiltin
Version1.1.46
Hit count1
First hit
File
libraries/autoupdate.php
Line
180
Snippet
L176: $request = wp_remote_post($this->update_path, $params ); → L180: return @unserialize( $request['body'] );
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "rsfirewall",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.1.46",
    "hit_count": 1,
    "first_hit": {
        "file": "libraries/autoupdate.php",
        "line": 180,
        "snippet": "L176: $request = wp_remote_post($this->update_path, $params );  \u2192  L180: return @unserialize( $request['body'] );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to rsfirewall on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
RSJoomla! 2018-08-21 57 2019-07-09 · r2119889 2026-06-29 · r3589575
plugin-master 2007-03-09 1 2019-07-08 · r2119710 2019-07-08 · r2119710

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
RSJoomla! 2018-08-21 57 commits Active