WP Beacon

Events Manager – Events / Locations Slider

stonehenge-em-slider · by duisterdenhaag · wordpress.org ↗ · SVN ↗
Active installs
90
Current version
1.8.7
Added
2019-01-22
Last updated
2022-03-10 (4y ago)
First seen by beacon
1mo ago
Total downloads
5,752

Alerts (0)

No open alerts.

Show 1 resolved alert
Medium code_pattern Resolved · vendor_self_update_stonehengelabs_license_gated_fp 2026-05-08 16:16:52 (1mo ago)
Slugstonehenge-em-slider
Patternpuc_update_hijack
Kindbuiltin
Version1.8.7
Hit count1
First hit
File
stonehenge/class-updater.php
Line
49
Snippet
$UpdateChecker = Puc_v4_Factory::buildUpdateChecker(
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "stonehenge-em-slider",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "1.8.7",
    "hit_count": 1,
    "first_hit": {
        "file": "stonehenge/class-updater.php",
        "line": 49,
        "snippet": "$UpdateChecker = Puc_v4_Factory::buildUpdateChecker("
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

SVN committers (2)

Accounts with actual commit access to stonehenge-em-slider on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Stonehenge Creations 2014-07-05 50 2019-01-22 · r2016910 2022-03-10 · r2692037
plugin-master 2007-03-09 1 2019-01-15 · r2012929 2019-01-15 · r2012929

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Stonehenge Creations 2014-07-05 50 commits Active

Versions (14 most recent)

Version Released Download
1.8.7 2022-03-10 · 4y ago zip
1.7.2 2021-02-06 · 5y ago zip
1.8.6 2021-02-06 · 5y ago zip
1.6.1 2020-02-12 · 6y ago zip
1.6.0 2019-12-27 · 6y ago zip
1.5.5 2019-09-28 · 6y ago zip
1.5.4 2019-09-12 · 6y ago zip
1.5.3 2019-08-27 · 6y ago zip
1.5.2 2019-08-21 · 6y ago zip
1.5.0 2019-06-19 · 6y ago zip
1.4 2019-04-28 · 7y ago zip
1.3 2019-02-14 · 7y ago zip
1.1 2019-02-01 · 7y ago zip
1.0 2019-01-22 · 7y ago zip