WP Beacon

NextScripts: Social Networks Auto-Poster

social-networks-auto-poster-facebook-twitter-g · by nextscripts · wordpress.org ↗ · SVN ↗
Acquired by NextScripts. New committers from that team's naming convention are expected and will not fire takeover events. source ↗
Active installs
30k+
Current version
4.4.7
Added
2012-03-02
Last updated
2026-02-26 (2mo ago)
First seen by beacon
1mo ago
Total downloads
7,437,268

Alerts (0)

No open alerts.

Show 5 resolved alerts
Medium code_scan_match Resolved · code_scan_fp_class_genre_encoding 2026-05-05 12:12:44 (17d ago)
Slugsocial-networks-auto-poster-facebook-twitter-g
Finding count14
Findings
PatternKindFileLineSnippetConfidence
createfuncbuiltinnxs_functions.php424if (!function_exists('nxs_html_to_utf8')){ function nxs_html_to_utf8X ($data){ var_dump($data); return preg_replace_callback("/\\&\\#([0-9]{3,10})\\;/", create_function ('$matches', ' var_dump($matchemedium
createfuncbuiltininc/nxs_functions_adv.php569} rename($tmpX, $tmpX.='.'.$imgType); register_shutdown_function(create_function('', "@unlink('{$tmpX}');")); file_put_contents($tmpX, $imgData);medium
gzinflatebuiltininc/nxs-http.php229if ( false !== ( $decompressed = @gzinflate( $compressed ) ) ) return $decompressed;medium
gzinflatebuiltininc/nxs-http.php240$decompressed = @gzinflate( substr($gzData, $i, -8) ); if ( false !== $decompressed ) return $decompressed;medium
gzinflatebuiltininc/nxs-http.php242$decompressed = @gzinflate( substr($gzData, 2) ); if ( false !== $decompressed ) return $decompressed;medium
base64_decodebuiltininc-cl/wl.php363<?php if ($options['wlBoardsList']!=''){ $gWLBoards = $options['wlBoardsList']; if ( base64_encode(base64_decode($gWLBoards)) === $gWLBoards) $gWLBoards = base64_decode($gWLBoards);medium
base64_decodebuiltininc-cl/wl.php466<?php if (!empty($ntOpt['wlBoardsList'])){ $gWLBoards = $ntOpt['wlBoardsList']; if ( base64_encode(base64_decode($gWLBoards)) === $gWLBoards) $gWLBoards = base64_decode($gWLBoards);medium
createfuncbuiltininc-cl/ap.api.php40rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');"));medium
createfuncbuiltininc-cl/vk.api.php28} rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');")); file_put_contents($tmp, $imgData);medium
createfuncbuiltininc-cl/st.api.php82rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');"));medium
createfuncbuiltininc-cl/fl.api.php40rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');"));medium
base64_decodebuiltininc-cl/apis/xmlrpc-client.php298$value = base64_decode($this->_currentTagContents);medium
base64_decodebuiltininc-cl/apis/OAuth.php200$decoded_sig = base64_decode($signature);medium
createfuncbuiltininc-cl/fp.api.php46rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', "unlink('{$tmp}');"));medium
Resolved shad3aa0472968d6fb4213c920687267aa386b90832
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "finding_count": 14,
    "findings": [
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "nxs_functions.php",
            "line": 424,
            "snippet": "if (!function_exists('nxs_html_to_utf8')){ function nxs_html_to_utf8X ($data){ var_dump($data); return preg_replace_callback(\"/\\\\&\\\\#([0-9]{3,10})\\\\;/\", create_function ('$matches', ' var_dump($matche",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc/nxs_functions_adv.php",
            "line": 569,
            "snippet": "} rename($tmpX, $tmpX.='.'.$imgType);  register_shutdown_function(create_function('', \"@unlink('{$tmpX}');\")); file_put_contents($tmpX, $imgData);",
            "confidence": "medium"
        },
        {
            "pattern": "gzinflate",
            "kind": "builtin",
            "file": "inc/nxs-http.php",
            "line": 229,
            "snippet": "if ( false !== ( $decompressed = @gzinflate( $compressed ) ) ) return $decompressed;",
            "confidence": "medium"
        },
        {
            "pattern": "gzinflate",
            "kind": "builtin",
            "file": "inc/nxs-http.php",
            "line": 240,
            "snippet": "$decompressed = @gzinflate( substr($gzData, $i, -8) ); if ( false !== $decompressed ) return $decompressed;",
            "confidence": "medium"
        },
        {
            "pattern": "gzinflate",
            "kind": "builtin",
            "file": "inc/nxs-http.php",
            "line": 242,
            "snippet": "$decompressed = @gzinflate( substr($gzData, 2) ); if ( false !== $decompressed ) return $decompressed;",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "inc-cl/wl.php",
            "line": 363,
            "snippet": "<?php if ($options['wlBoardsList']!=''){ $gWLBoards = $options['wlBoardsList']; if ( base64_encode(base64_decode($gWLBoards)) === $gWLBoards) $gWLBoards = base64_decode($gWLBoards);",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "inc-cl/wl.php",
            "line": 466,
            "snippet": "<?php if (!empty($ntOpt['wlBoardsList'])){ $gWLBoards = $ntOpt['wlBoardsList']; if ( base64_encode(base64_decode($gWLBoards)) === $gWLBoards) $gWLBoards = base64_decode($gWLBoards);",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/ap.api.php",
            "line": 40,
            "snippet": "rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\"));",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/vk.api.php",
            "line": 28,
            "snippet": "} rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\")); file_put_contents($tmp, $imgData);",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/st.api.php",
            "line": 82,
            "snippet": "rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\"));",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/fl.api.php",
            "line": 40,
            "snippet": "rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\"));",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "inc-cl/apis/xmlrpc-client.php",
            "line": 298,
            "snippet": "$value = base64_decode($this->_currentTagContents);",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "inc-cl/apis/OAuth.php",
            "line": 200,
            "snippet": "$decoded_sig = base64_decode($signature);",
            "confidence": "medium"
        },
        {
            "pattern": "createfunc",
            "kind": "builtin",
            "file": "inc-cl/fp.api.php",
            "line": 46,
            "snippet": "rename($tmp, $tmp.='.png'); register_shutdown_function(create_function('', \"unlink('{$tmp}');\"));",
            "confidence": "medium"
        }
    ],
    "resolved_sha": "d3aa0472968d6fb4213c920687267aa386b90832"
}
Critical code_pattern Resolved · false_positive_legit_ip_use 2026-04-30 15:25:28 (22d ago)
Slugsocial-networks-auto-poster-facebook-twitter-g
Patternhardcoded_ip_url
Kindbuiltin
Version4.4.7
Hit count1
First hit
File
inc/nxs_class_snap.php
Line
105
Snippet
nxs_cURLTest("http://45.79.4.45/", "HTTPS to NXSA", "NXS");
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "4.4.7",
    "hit_count": 1,
    "first_hit": {
        "file": "inc/nxs_class_snap.php",
        "line": 105,
        "snippet": "nxs_cURLTest(\"http://45.79.4.45/\", \"HTTPS to NXSA\", \"NXS\");"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}
Critical code_scan_delta Resolved · false_positive_cdn_known_good 2026-04-30 07:41:44 (22d ago)
Slugsocial-networks-auto-poster-facebook-twitter-g
Previous version4.4.7
Current version4.4.7
New findings
PatternKindFileLineSnippetConfidence
hardcoded_ip_urlbuiltininc/nxs_class_snap.php105nxs_cURLTest("http://45.79.4.45/", "HTTPS to NXSA", "NXS");high
New finding count1
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "previous_version": "4.4.7",
    "current_version": "4.4.7",
    "new_findings": [
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "inc/nxs_class_snap.php",
            "line": 105,
            "snippet": "nxs_cURLTest(\"http://45.79.4.45/\", \"HTTPS to NXSA\", \"NXS\");",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}
Medium domain_younger_than_plugin Resolved · no_longer_matches 2026-04-24 04:03:19 (28d ago)
Slugsocial-networks-auto-poster-facebook-twitter-g
Domainnextscripts.net
Domain sourcec2_http_call
Domain registered at2021-06-23
Plugin earliest commit2012-03-02 11:09:36
Plugin latest release2017-10-16 23:49:28
Gap days3,399
Domain age at release-1,345
Active installs30,000
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "domain": "nextscripts.net",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2021-06-23",
    "plugin_earliest_commit": "2012-03-02 11:09:36",
    "plugin_latest_release": "2017-10-16 23:49:28",
    "gap_days": 3399,
    "domain_age_at_release": -1345,
    "active_installs": 30000
}
Medium domain_younger_than_plugin Resolved · no_longer_matches 2026-04-24 04:03:19 (28d ago)
Slugsocial-networks-auto-poster-facebook-twitter-g
Domainu.to
Domain sourcec2_http_call
Domain registered at2021-11-18
Plugin earliest commit2012-03-02 11:09:36
Plugin latest release2017-10-16 23:49:28
Gap days3,547
Domain age at release-1,493
Active installs30,000
View raw JSON
{
    "slug": "social-networks-auto-poster-facebook-twitter-g",
    "domain": "u.to",
    "domain_source": "c2_http_call",
    "domain_registered_at": "2021-11-18",
    "plugin_earliest_commit": "2012-03-02 11:09:36",
    "plugin_latest_release": "2017-10-16 23:49:28",
    "gap_days": 3547,
    "domain_age_at_release": -1493,
    "active_installs": 30000
}

SVN committers (2)

Accounts with actual commit access to social-networks-auto-poster-facebook-twitter-g on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
NextScripts Young account 2012-03-01 200 2012-03-02 · r513511 2026-02-26 · r3470733
plugin-master 2007-03-09 1 2012-03-02 · r513443 2012-03-02 · r513443

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
NextScripts 2012-03-01 200 commits Active
okapy 2012-03-02 Active

Versions (13 most recent)

Version Released Download
3.8.8 2017-10-16 · 8y ago zip
3.4.31 2016-03-07 · 10y ago zip
3.2.3 2014-03-06 · 12y ago zip
3.1.2 2014-01-24 · 12y ago zip
3.0.9 2013-12-03 · 12y ago zip
2.7.22 2013-11-01 · 12y ago zip
2.7.14 2013-06-11 · 12y ago zip
2.6.3 2013-02-25 · 13y ago zip
2.5.5 2013-01-29 · 13y ago zip
2.4.8 2013-01-03 · 13y ago zip
1.9.13 2012-09-12 · 13y ago zip
1.7.0 2012-06-05 · 13y ago zip
1.6.1 2012-05-09 · 14y ago zip