WP Beacon

Welcart e-Commerce

usc-e-shop · by uscnanbu · wordpress.org ↗ · SVN ↗
Active installs
10k+
Current version
2.11.28
Added
2009-10-23
Last updated
2026-04-01 (1mo ago)
First seen by beacon
11d ago
Total downloads
1,274,929

Alerts (0)

No open alerts.

Show 1 resolved alert
Medium code_pattern Resolved · fp:vendor_premium_update_channel 2026-04-30 20:41:11 (2d ago)
Slugusc-e-shop
Patternpuc_update_hijack
Kindbuiltin
Version2.11.28
Hit count1
First hit
File
includes/update_check.php
Line
194
Snippet
$$slug = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "usc-e-shop",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "2.11.28",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/update_check.php",
        "line": 194,
        "snippet": "$$slug     = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );"
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

SVN committers (1)

Accounts with actual commit access to usc-e-shop on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
info@welcart 2009-10-13 500 2017-05-16 · r1658225 2026-04-01 · r3496135

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
info@welcart 2009-10-13 500 commits Active

Versions (100 most recent)

Version Released Download
2.11.28 2026-04-01 · 1mo ago zip
2.11.27 2026-01-21 · 3mo ago zip
2.11.26 2025-12-16 · 4mo ago zip
2.11.25 2025-11-12 · 5mo ago zip
2.11.24 2025-10-14 · 6mo ago zip
2.11.23 2025-10-08 · 6mo ago zip
2.11.22 2025-10-07 · 6mo ago zip
2.11.21 2025-09-08 · 7mo ago zip
2.11.20 2025-07-22 · 9mo ago zip
2.11.19 2025-07-04 · 10mo ago zip
2.11.18 2025-07-01 · 10mo ago zip
2.11.17 2025-06-23 · 10mo ago zip
2.11.16 2025-05-13 · 11mo ago zip
2.11.15 2025-05-12 · 11mo ago zip
2.11.14 2025-04-30 · 1y ago zip
2.11.13 2025-04-23 · 1y ago zip
2.11.12 2025-03-06 · 1y ago zip
2.11.11 2025-02-26 · 1y ago zip
2.11.10 2025-02-05 · 1y ago zip
2.11.9 2025-01-21 · 1y ago zip
2.11.8 2025-01-08 · 1y ago zip
2.11.7 2024-11-19 · 1y ago zip
2.11.6 2024-11-11 · 1y ago zip
2.11.5 2024-10-28 · 1y ago zip
2.11.4 2024-10-01 · 1y ago zip
2.11.3 2024-09-17 · 1y ago zip
2.11.2 2024-09-03 · 1y ago zip
2.11.1 2024-08-26 · 1y ago zip
2.11 2024-08-20 · 1y ago zip
2.10.6 2024-08-19 · 1y ago zip
2.10.5 2024-07-16 · 1y ago zip
2.10.4 2024-06-26 · 1y ago zip
2.10.3 2024-05-08 · 1y ago zip
2.10.2 2024-04-16 · 2y ago zip
2.10.1 2024-04-02 · 2y ago zip
2.10 2024-04-01 · 2y ago zip
2.9.14 2024-03-12 · 2y ago zip
2.9.13 2024-02-28 · 2y ago zip
2.9.12 2024-02-20 · 2y ago zip
2.9.11 2024-02-19 · 2y ago zip
2.9.10 2024-01-23 · 2y ago zip
2.9.9 2023-12-21 · 2y ago zip
2.9.8 2023-12-20 · 2y ago zip
2.9.7 2023-11-22 · 2y ago zip
2.9.6 2023-11-15 · 2y ago zip
2.9.5 2023-11-09 · 2y ago zip
2.9.4 2023-10-24 · 2y ago zip
2.9.3 2023-10-12 · 2y ago zip
2.9.2 2023-10-10 · 2y ago zip
2.9.1 2023-10-05 · 2y ago zip
2.9 2023-10-03 · 2y ago zip
2.8.23 2023-09-25 · 2y ago zip
2.8.22 2023-09-14 · 2y ago zip
2.8.21 2023-08-28 · 2y ago zip
2.8.20 2023-08-07 · 2y ago zip
2.8.19 2023-07-06 · 2y ago zip
2.8.18 2023-05-16 · 2y ago zip
2.8.17 2023-04-19 · 3y ago zip
2.8.16 2023-04-12 · 3y ago zip
2.8.15 2023-04-11 · 3y ago zip
2.8.14 2023-03-15 · 3y ago zip
2.8.13 2023-02-22 · 3y ago zip
2.8.12 2023-02-14 · 3y ago zip
2.8.11 2023-01-23 · 3y ago zip
2.8.10 2022-12-27 · 3y ago zip
2.8.9 2022-12-23 · 3y ago zip
2.8.8 2022-12-15 · 3y ago zip
2.8.6 2022-12-02 · 3y ago zip
2.8.5 2022-11-30 · 3y ago zip
2.8.4 2022-11-16 · 3y ago zip
2.8.3 2022-11-01 · 3y ago zip
2.8.2 2022-10-20 · 3y ago zip
2.8.1 2022-09-27 · 3y ago zip
2.8 2022-09-16 · 3y ago zip
2.7.8 2022-09-02 · 3y ago zip
2.7.7 2022-09-02 · 3y ago zip
2.7.6 2022-08-30 · 3y ago zip
2.7.5 2022-08-26 · 3y ago zip
2.7.4 2022-08-08 · 3y ago zip
2.7.3 2022-08-03 · 3y ago zip
2.7.2 2022-07-29 · 3y ago zip
2.7.1 2022-07-26 · 3y ago zip
2.7 2022-07-25 · 3y ago zip
2.6.11 2022-07-25 · 3y ago zip
2.6.10 2022-06-27 · 3y ago zip
2.6.9 2022-05-31 · 3y ago zip
2.6.8 2022-05-25 · 3y ago zip
2.6.7 2022-05-13 · 3y ago zip
2.6.6 2022-05-02 · 4y ago zip
2.6.5 2022-04-20 · 4y ago zip
2.6.4 2022-04-19 · 4y ago zip
2.6.3 2022-04-13 · 4y ago zip
2.6.2 2022-04-08 · 4y ago zip
2.6.1 2022-04-05 · 4y ago zip
2.6 2022-04-04 · 4y ago zip
2.5.8 2022-03-28 · 4y ago zip
2.5.7 2022-03-14 · 4y ago zip
2.5.6 2022-03-02 · 4y ago zip
2.5.5 2022-03-01 · 4y ago zip
2.5.4 2022-02-15 · 4y ago zip