WP Beacon

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

ultimate-member · by ultimatemember · wordpress.org ↗ · SVN ↗
Active installs
200k+
Current version
2.11.4
Added
2015-01-21
Last updated
2026-04-30 (2d ago)
First seen by beacon
11d ago
Total downloads
12,947,265

Alerts (0)

No open alerts.

Show 2 resolved alerts
Critical code_pattern Resolved · no_longer_matches 2026-04-24 17:01:47 (8d ago)
Slugultimate-member
Patternunserialize_after_remote_call
Kindbuiltin
Version2.11.3
Hit count7
First hit
File
includes/core/class-plugin-updater.php
Line
295
Snippet
L279: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L295: $request = ( $request ) ? maybe_unserialize( $request ) : false;
Explanationa remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak.
View raw JSON
{
    "slug": "ultimate-member",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "2.11.3",
    "hit_count": 7,
    "first_hit": {
        "file": "includes/core/class-plugin-updater.php",
        "line": 295,
        "snippet": "L279: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L295: $request = ( $request ) ? maybe_unserialize( $request ) : false;"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`/`file_get_contents`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak."
}
Critical code_scan_delta Resolved · fp_edd_updater_library 2026-04-24 16:22:01 (8d ago)
Slugultimate-member
Previous version2.11.3
Current version2.11.3
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php295L279: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L295: $request = ( $request ) ? maybe_unserialize( $request ) : false;high
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php331L326: wp_remote_retrieve_body( $request->$slug->get_version_check ) → L331: $request->$slug->get_version_check->banners = maybe_unserialize( $request->$slug->ghigh
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php335L326: wp_remote_retrieve_body( $request->$slug->get_version_check ) → L335: $request->$slug->get_version_check->icons = maybe_unserialize( $request->$slug->gethigh
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php453L439: $request = wp_remote_post( → L453: $request->sections = maybe_unserialize( $request->sections );high
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php460L449: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L460: $request->banners = maybe_unserialize( $request->banners );high
unserialize_after_remote_callbuiltinincludes/core/class-plugin-updater.php464L449: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L464: $request->icons = maybe_unserialize( $request->icons );high
unserialize_after_remote_callbuiltinincludes/admin/core/class-admin-settings.php3,094L3074: $request = json_decode( wp_remote_retrieve_body( $request ) ); → L3094: $request = ( $request ) ? maybe_unserialize( $request ) : false;high
New finding count7
View raw JSON
{
    "slug": "ultimate-member",
    "previous_version": "2.11.3",
    "current_version": "2.11.3",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 295,
            "snippet": "L279: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L295: $request = ( $request ) ? maybe_unserialize( $request ) : false;",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 331,
            "snippet": "L326: wp_remote_retrieve_body( $request->$slug->get_version_check )  \u2192  L331: $request->$slug->get_version_check->banners = maybe_unserialize( $request->$slug->g",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 335,
            "snippet": "L326: wp_remote_retrieve_body( $request->$slug->get_version_check )  \u2192  L335: $request->$slug->get_version_check->icons = maybe_unserialize( $request->$slug->get",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 453,
            "snippet": "L439: $request = wp_remote_post(  \u2192  L453: $request->sections = maybe_unserialize( $request->sections );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 460,
            "snippet": "L449: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L460: $request->banners = maybe_unserialize( $request->banners );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/core/class-plugin-updater.php",
            "line": 464,
            "snippet": "L449: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L464: $request->icons = maybe_unserialize( $request->icons );",
            "confidence": "high"
        },
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/admin/core/class-admin-settings.php",
            "line": 3094,
            "snippet": "L3074: $request = json_decode( wp_remote_retrieve_body( $request ) );  \u2192  L3094: $request = ( $request ) ? maybe_unserialize( $request ) : false;",
            "confidence": "high"
        }
    ],
    "new_finding_count": 7
}

SVN committers (3)

Accounts with actual commit access to ultimate-member on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
Ultimate Member Young account 2015-01-13 175 2015-03-20 · r1116821 2016-02-24 · r1357486
Champ Camba Young account 2015-12-09 112 2016-02-10 · r1347496 2018-01-03 · r1796377
Mykyta Synelnikov 2015-04-16 1 2017-09-18 · r1731551 2026-04-30 · r3519508

Readme contributors (3)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
Ultimate Member 2015-01-13 175 commits Active
Champ Camba 2015-12-09 112 commits Active
Mykyta Synelnikov 2015-04-16 1 commits Active

Versions (100 most recent)

Version Released Download
2.11.4 2026-04-30 · 2d ago zip
2.11.3 2026-03-26 · 1mo ago zip
2.11.2 2026-02-10 · 2mo ago zip
2.11.1 2025-12-16 · 4mo ago zip
2.11.0 2025-12-02 · 5mo ago zip
2.10.6 2025-10-02 · 7mo ago zip
2.10.5 2025-06-25 · 10mo ago zip
2.10.4 2025-05-14 · 11mo ago zip
2.10.3 2025-04-24 · 1y ago zip
2.10.2 2025-04-02 · 1y ago zip
2.10.1 2025-03-03 · 1y ago zip
2.10.0 2025-02-18 · 1y ago zip
2.9.2 2025-01-31 · 1y ago zip
2.9.1 2024-11-15 · 1y ago zip
2.9.0 2024-11-12 · 1y ago zip
2.8.9 2024-10-14 · 1y ago zip
2.8.8 2024-10-04 · 1y ago zip
2.8.7 2024-10-01 · 1y ago zip
2.8.6 2024-07-02 · 1y ago zip
2.8.5 2024-05-09 · 1y ago zip
2.8.4 2024-03-06 · 2y ago zip
2.8.3 2024-02-19 · 2y ago zip
2.8.2 2024-01-15 · 2y ago zip
2.8.1 2023-12-20 · 2y ago zip
2.8.0 2023-12-11 · 2y ago zip
2.7.0 2023-10-11 · 2y ago zip
2.6.11 2023-09-06 · 2y ago zip
2.6.10 2023-08-17 · 2y ago zip
2.6.9 2023-07-26 · 2y ago zip
2.6.8 2023-07-19 · 2y ago zip
2.6.7 2023-07-01 · 2y ago zip
2.6.6 2023-06-29 · 2y ago zip
2.6.5 2023-06-28 · 2y ago zip
2.6.4 2023-06-27 · 2y ago zip
2.6.3 2023-06-14 · 2y ago zip
2.6.2 2023-05-31 · 2y ago zip
2.6.1 2023-05-29 · 2y ago zip
2.6.0 2023-03-29 · 3y ago zip
2.5.4 2023-02-17 · 3y ago zip
2.5.3 2022-12-19 · 3y ago zip
2.5.2 2022-12-15 · 3y ago zip
2.5.1 2022-10-26 · 3y ago zip
2.5.0 2022-08-18 · 3y ago zip
2.4.2 2022-07-14 · 3y ago zip
2.4.1 2022-06-13 · 3y ago zip
2.4.0 2022-06-01 · 3y ago zip
2.3.2 2022-04-21 · 4y ago zip
2.3.1 2022-02-10 · 4y ago zip
2.3.0 2021-12-20 · 4y ago zip
2.2.5 2021-09-22 · 4y ago zip
2.2.4 2021-08-27 · 4y ago zip
2.2.3 2021-08-25 · 4y ago zip
2.2.2 2021-08-03 · 4y ago zip
2.2.1 2021-08-02 · 4y ago zip
2.2.0 2021-07-20 · 4y ago zip
2.1.21 2021-06-17 · 4y ago zip
2.1.20 2021-05-10 · 4y ago zip
2.1.19 2021-04-20 · 5y ago zip
2.1.18 2021-04-20 · 5y ago zip
2.1.17 2021-04-14 · 5y ago zip
2.1.16 2021-03-10 · 5y ago zip
2.1.15 2020-12-24 · 5y ago zip
2.1.14 2020-12-22 · 5y ago zip
2.1.13 2020-12-09 · 5y ago zip
2.1.12 2020-10-29 · 5y ago zip
2.1.11 2020-10-07 · 5y ago zip
2.1.10 2020-09-23 · 5y ago zip
2.1.9 2020-09-09 · 5y ago zip
2.1.8 2020-09-02 · 5y ago zip
2.1.7 2020-08-24 · 5y ago zip
2.1.6 2020-07-24 · 5y ago zip
2.1.5 2020-04-02 · 6y ago zip
2.1.4 2020-03-03 · 6y ago zip
2.1.3 2020-02-04 · 6y ago zip
2.1.2 2019-12-04 · 6y ago zip
2.1.1 2019-11-12 · 6y ago zip
2.1.0 2019-11-11 · 6y ago zip
2.0.56 2019-08-21 · 6y ago zip
2.0.55 2019-08-16 · 6y ago zip
2.0.54 2019-07-22 · 6y ago zip
2.0.53 2019-07-16 · 6y ago zip
2.0.52 2019-07-11 · 6y ago zip
2.0.51 2019-07-09 · 6y ago zip
2.0.50 2019-07-02 · 6y ago zip
2.0.49 2019-05-29 · 6y ago zip
2.0.48 2019-05-16 · 6y ago zip
2.0.47 2019-05-14 · 6y ago zip
2.0.46 2019-05-10 · 6y ago zip
2.0.45 2019-05-08 · 6y ago zip
2.0.44 2019-05-08 · 6y ago zip
2.0.43 2019-03-29 · 7y ago zip
2.0.42 2019-03-28 · 7y ago zip
2.0.41 2019-03-27 · 7y ago zip
2.0.40 2019-03-12 · 7y ago zip
2.0.39 2019-02-11 · 7y ago zip
2.0.38 2019-01-10 · 7y ago zip
2.0.37 2019-01-08 · 7y ago zip
2.0.36 2019-01-07 · 7y ago zip
2.0.35 2018-12-09 · 7y ago zip
2.0.34 2018-12-07 · 7y ago zip