WP Beacon

Speedy Go

speedy-go · by codeandcore · wordpress.org ↗ · SVN ↗
Active installs
20
Current version
2.1.1
Added
2025-10-29
Last updated
2026-05-25 (18d ago)
First seen by beacon
1mo ago
Total downloads
1,163

Historical audits (1)

Past investigations, all resolved. No current threat.
  • Suspicious Audit #34 baseline 2.0.3 → head 2.1.0 1mo ago

Alerts (0)

No open alerts.

Show 2 resolved alerts
Critical code_pattern Resolved · fp_safe_unserialize_allowed_classes_false 2026-06-06 05:51:09 (6d ago)
Slugspeedy-go
Patternunserialize_after_remote_call
Kindbuiltin
Version2.1.1
Hit count1
First hit
File
includes/api-key-api.php
Line
298
Snippet
L290: $resbody = wp_remote_retrieve_body($response); → L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "speedy-go",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.1.1",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/api-key-api.php",
        "line": 298,
        "snippet": "L290: $resbody = wp_remote_retrieve_body($response);  \u2192  L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
Critical code_scan_delta Resolved · fp_safe_unserialize_allowed_classes_false 2026-06-06 02:05:00 (6d ago)
Slugspeedy-go
Previous version2.1.0
Current version2.1.1
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/api-key-api.php298L290: $resbody = wp_remote_retrieve_body($response); → L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)high
New finding count1
View raw JSON
{
    "slug": "speedy-go",
    "previous_version": "2.1.0",
    "current_version": "2.1.1",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/api-key-api.php",
            "line": 298,
            "snippet": "L290: $resbody = wp_remote_retrieve_body($response);  \u2192  L298: while (is_string($opts) && @unserialize($opts, ['allowed_classes' => false]) !== false)",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

SVN committers (2)

Accounts with actual commit access to speedy-go on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Code and Core 2024-04-24 1 2025-10-29 · r3386469 2026-05-25 · r3547774
plugin-master 2007-03-09 1 2025-10-29 · r3386438 2025-10-29 · r3386438

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Code and Core 2024-04-24 1 commits Active

Versions (8 most recent)

Version Released Download
2.1.1 2026-05-25 · 18d ago zip
2.1.0 2026-05-04 · 1mo ago zip
2.0.3 2026-03-16 · 2mo ago zip
2.0.2 2026-03-10 · 3mo ago zip
2.0.1 2026-03-03 · 3mo ago zip
2.0.0 2026-03-03 · 3mo ago zip
1.0.1 2026-02-24 · 3mo ago zip
1.0.0 2025-10-29 · 7mo ago zip