WP Beacon

Welcart e-Commerce

usc-e-shop · by uscnanbu · wordpress.org ↗ · SVN ↗
Active installs
10k+
Current version
2.11.28
Added
2009-10-23
Last updated
2026-04-01 (1mo ago)
First seen by beacon
1mo ago
Total downloads
1,275,117

Alerts (0)

No open alerts.

Show 2 resolved alerts
High code_scan_match Resolved · code_scan_fp_class_vendor_cdn_enqueue 2026-05-05 12:51:05 (17d ago)
Slugusc-e-shop
Finding count471
Findings
PatternKindFileLineSnippetConfidenceDetails
remote_enqueuebuiltintags/2.9.2/functions/filters.php1,799wp_enqueue_script( 'usces_ajaxzip3', 'https://ajaxzip3.github.io/ajaxzip3.js', array(), current_time( 'timestamp' ), false );medium
Url
https://ajaxzip3.github.io/ajaxzip3.js
Url host
ajaxzip3.github.io
puc_update_hijackbuiltintags/2.9.2/includes/update_check.php91$$slug = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );high
Url
Url host
Slug arg
hardcoded_ip_urlbuiltintags/1.7.3/classes/usceshop.class.php1,727$options['acting_settings']['mizuho']['send_url_test'] = "https://210.161.141.207/mltbank/MBWebFrontPayment";high
hardcoded_ip_urlbuiltintags/1.7.3/classes/usceshop.class.php1,728if( defined('WCEX_MOBILE') ) $options['acting_settings']['mizuho']['send_url_mbl_test'] = "https://210.161.141.207/mltbank/iMBWebFrontPayment";high
remote_enqueuebuiltintags/1.7.3/functions/filters.php1,399wp_enqueue_script( 'usces_ajaxzip3', "https://ajaxzip3.github.io/ajaxzip3.js" );medium
Url
https://ajaxzip3.github.io/ajaxzip3.js
Url host
ajaxzip3.github.io
remote_enqueuebuiltintags/1.9.25/functions/filters.php1,308wp_enqueue_script( 'usces_ajaxzip3', "https://ajaxzip3.github.io/ajaxzip3.js" );medium
Url
https://ajaxzip3.github.io/ajaxzip3.js
Url host
ajaxzip3.github.io
hardcoded_ip_urlbuiltintags/1.6/classes/usceshop.class.php1,697$options['acting_settings']['mizuho']['send_url_test'] = "https://210.161.141.207/mltbank/MBWebFrontPayment";high
hardcoded_ip_urlbuiltintags/1.6/classes/usceshop.class.php1,698if( defined('WCEX_MOBILE') ) $options['acting_settings']['mizuho']['send_url_mbl_test'] = "https://210.161.141.207/mltbank/iMBWebFrontPayment";high
hardcoded_ip_urlbuiltintags/1.3.10.2/classes/usceshop.class.php1,553$options['acting_settings']['mizuho']['send_url_test'] = "https://210.161.141.207/mltbank/MBWebFrontPayment";high
hardcoded_ip_urlbuiltintags/1.3.10.2/classes/usceshop.class.php1,554if( defined('WCEX_MOBILE') ) $options['acting_settings']['mizuho']['send_url_mbl_test'] = "https://210.161.141.207/mltbank/iMBWebFrontPayment";high
remote_enqueuebuiltintags/2.8.20/functions/filters.php1,784wp_enqueue_script( 'usces_ajaxzip3', 'https://ajaxzip3.github.io/ajaxzip3.js', array(), current_time( 'timestamp' ), false );medium
Url
https://ajaxzip3.github.io/ajaxzip3.js
Url host
ajaxzip3.github.io
puc_update_hijackbuiltintags/2.8.20/includes/update_check.php91$$slug = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );high
Url
Url host
Slug arg
remote_enqueuebuiltintags/2.11.8/functions/filters.php1,815wp_enqueue_script( 'usces_ajaxzip3', 'https://ajaxzip3.github.io/ajaxzip3.js', array(), current_time( 'timestamp' ), false );medium
Url
https://ajaxzip3.github.io/ajaxzip3.js
Url host
ajaxzip3.github.io
puc_update_hijackbuiltintags/2.11.8/includes/update_check.php194$$slug = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );high
Url
Url host
Slug arg
remote_enqueuebuiltintags/2.8.3/functions/filters.php1,730wp_enqueue_script( 'usces_ajaxzip3', "https://ajaxzip3.github.io/ajaxzip3.js" );medium
Url
https://ajaxzip3.github.io/ajaxzip3.js
Url host
ajaxzip3.github.io
Resolved sha907d4df9ce22d49fedd098f4cbffae6b8349dad5
View raw JSON
{
    "slug": "usc-e-shop",
    "finding_count": 471,
    "findings": [
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "tags/2.9.2/functions/filters.php",
            "line": 1799,
            "snippet": "wp_enqueue_script( 'usces_ajaxzip3', 'https://ajaxzip3.github.io/ajaxzip3.js', array(), current_time( 'timestamp' ), false );",
            "confidence": "medium",
            "details": {
                "url": "https://ajaxzip3.github.io/ajaxzip3.js",
                "url_host": "ajaxzip3.github.io"
            }
        },
        {
            "pattern": "puc_update_hijack",
            "kind": "builtin",
            "file": "tags/2.9.2/includes/update_check.php",
            "line": 91,
            "snippet": "$$slug     = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );",
            "confidence": "high",
            "details": {
                "url": null,
                "url_host": null,
                "slug_arg": null
            }
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "tags/1.7.3/classes/usceshop.class.php",
            "line": 1727,
            "snippet": "$options['acting_settings']['mizuho']['send_url_test'] = \"https://210.161.141.207/mltbank/MBWebFrontPayment\";",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "tags/1.7.3/classes/usceshop.class.php",
            "line": 1728,
            "snippet": "if( defined('WCEX_MOBILE') ) $options['acting_settings']['mizuho']['send_url_mbl_test'] = \"https://210.161.141.207/mltbank/iMBWebFrontPayment\";",
            "confidence": "high"
        },
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "tags/1.7.3/functions/filters.php",
            "line": 1399,
            "snippet": "wp_enqueue_script( 'usces_ajaxzip3', \"https://ajaxzip3.github.io/ajaxzip3.js\" );",
            "confidence": "medium",
            "details": {
                "url": "https://ajaxzip3.github.io/ajaxzip3.js",
                "url_host": "ajaxzip3.github.io"
            }
        },
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "tags/1.9.25/functions/filters.php",
            "line": 1308,
            "snippet": "wp_enqueue_script( 'usces_ajaxzip3', \"https://ajaxzip3.github.io/ajaxzip3.js\" );",
            "confidence": "medium",
            "details": {
                "url": "https://ajaxzip3.github.io/ajaxzip3.js",
                "url_host": "ajaxzip3.github.io"
            }
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "tags/1.6/classes/usceshop.class.php",
            "line": 1697,
            "snippet": "$options['acting_settings']['mizuho']['send_url_test'] = \"https://210.161.141.207/mltbank/MBWebFrontPayment\";",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "tags/1.6/classes/usceshop.class.php",
            "line": 1698,
            "snippet": "if( defined('WCEX_MOBILE') ) $options['acting_settings']['mizuho']['send_url_mbl_test'] = \"https://210.161.141.207/mltbank/iMBWebFrontPayment\";",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "tags/1.3.10.2/classes/usceshop.class.php",
            "line": 1553,
            "snippet": "$options['acting_settings']['mizuho']['send_url_test'] = \"https://210.161.141.207/mltbank/MBWebFrontPayment\";",
            "confidence": "high"
        },
        {
            "pattern": "hardcoded_ip_url",
            "kind": "builtin",
            "file": "tags/1.3.10.2/classes/usceshop.class.php",
            "line": 1554,
            "snippet": "if( defined('WCEX_MOBILE') ) $options['acting_settings']['mizuho']['send_url_mbl_test'] = \"https://210.161.141.207/mltbank/iMBWebFrontPayment\";",
            "confidence": "high"
        },
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "tags/2.8.20/functions/filters.php",
            "line": 1784,
            "snippet": "wp_enqueue_script( 'usces_ajaxzip3', 'https://ajaxzip3.github.io/ajaxzip3.js', array(), current_time( 'timestamp' ), false );",
            "confidence": "medium",
            "details": {
                "url": "https://ajaxzip3.github.io/ajaxzip3.js",
                "url_host": "ajaxzip3.github.io"
            }
        },
        {
            "pattern": "puc_update_hijack",
            "kind": "builtin",
            "file": "tags/2.8.20/includes/update_check.php",
            "line": 91,
            "snippet": "$$slug     = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );",
            "confidence": "high",
            "details": {
                "url": null,
                "url_host": null,
                "slug_arg": null
            }
        },
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "tags/2.11.8/functions/filters.php",
            "line": 1815,
            "snippet": "wp_enqueue_script( 'usces_ajaxzip3', 'https://ajaxzip3.github.io/ajaxzip3.js', array(), current_time( 'timestamp' ), false );",
            "confidence": "medium",
            "details": {
                "url": "https://ajaxzip3.github.io/ajaxzip3.js",
                "url_host": "ajaxzip3.github.io"
            }
        },
        {
            "pattern": "puc_update_hijack",
            "kind": "builtin",
            "file": "tags/2.11.8/includes/update_check.php",
            "line": 194,
            "snippet": "$$slug     = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );",
            "confidence": "high",
            "details": {
                "url": null,
                "url_host": null,
                "slug_arg": null
            }
        },
        {
            "pattern": "remote_enqueue",
            "kind": "builtin",
            "file": "tags/2.8.3/functions/filters.php",
            "line": 1730,
            "snippet": "wp_enqueue_script( 'usces_ajaxzip3', \"https://ajaxzip3.github.io/ajaxzip3.js\" );",
            "confidence": "medium",
            "details": {
                "url": "https://ajaxzip3.github.io/ajaxzip3.js",
                "url_host": "ajaxzip3.github.io"
            }
        }
    ],
    "resolved_sha": "907d4df9ce22d49fedd098f4cbffae6b8349dad5"
}
Medium code_pattern Resolved · fp:vendor_premium_update_channel 2026-04-30 20:41:11 (22d ago)
Slugusc-e-shop
Patternpuc_update_hijack
Kindbuiltin
Version2.11.28
Hit count1
First hit
File
includes/update_check.php
Line
194
Snippet
$$slug = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );
Explanationplugin calls `::buildUpdateChecker()` — the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.
Shapeunparseable
Url
Url host
Slug arg
View raw JSON
{
    "slug": "usc-e-shop",
    "pattern": "puc_update_hijack",
    "kind": "builtin",
    "version": "2.11.28",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/update_check.php",
        "line": 194,
        "snippet": "$$slug     = Puc_v4_Factory::buildUpdateChecker( $json_path, $fullpath, $slug );"
    },
    "explanation": "plugin calls `::buildUpdateChecker()` \u2014 the factory entry point of the Yahnis Elsts Plugin Update Checker library. A plugin distributed through wordpress.org that registers its own update source is bypassing the Plugin Review Team: every install polls the non-wp.org URL on cron and installs whatever JSON + zip it returns, with full plugin-author permissions. This is the mechanism behind the `anadnet`/quick-pagepost-redirect-plugin compromise (2021) where the author seeded 70,000+ installs through tagged releases and then removed the library from trunk to hide the persistence. Any URL argument pointing away from `downloads.wordpress.org`/`api.wordpress.org` is the hijack signal.",
    "shape": "unparseable",
    "url": null,
    "url_host": null,
    "slug_arg": null
}

SVN committers (1)

Accounts with actual commit access to usc-e-shop on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
info@welcart 2009-10-13 500 2017-05-16 · r1658225 2026-04-01 · r3496135

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
info@welcart 2009-10-13 500 commits Active

Versions (100 most recent)

Version Released Download
2.11.28 2026-04-01 · 1mo ago zip
2.11.27 2026-01-21 · 4mo ago zip
2.11.26 2025-12-16 · 5mo ago zip
2.11.25 2025-11-12 · 6mo ago zip
2.11.24 2025-10-14 · 7mo ago zip
2.11.23 2025-10-08 · 7mo ago zip
2.11.22 2025-10-07 · 7mo ago zip
2.11.21 2025-09-08 · 8mo ago zip
2.11.20 2025-07-22 · 10mo ago zip
2.11.19 2025-07-04 · 10mo ago zip
2.11.18 2025-07-01 · 10mo ago zip
2.11.17 2025-06-23 · 11mo ago zip
2.11.16 2025-05-13 · 1y ago zip
2.11.15 2025-05-12 · 1y ago zip
2.11.14 2025-04-30 · 1y ago zip
2.11.13 2025-04-23 · 1y ago zip
2.11.12 2025-03-06 · 1y ago zip
2.11.11 2025-02-26 · 1y ago zip
2.11.10 2025-02-05 · 1y ago zip
2.11.9 2025-01-21 · 1y ago zip
2.11.8 2025-01-08 · 1y ago zip
2.11.7 2024-11-19 · 1y ago zip
2.11.6 2024-11-11 · 1y ago zip
2.11.5 2024-10-28 · 1y ago zip
2.11.4 2024-10-01 · 1y ago zip
2.11.3 2024-09-17 · 1y ago zip
2.11.2 2024-09-03 · 1y ago zip
2.11.1 2024-08-26 · 1y ago zip
2.11 2024-08-20 · 1y ago zip
2.10.6 2024-08-19 · 1y ago zip
2.10.5 2024-07-16 · 1y ago zip
2.10.4 2024-06-26 · 1y ago zip
2.10.3 2024-05-08 · 2y ago zip
2.10.2 2024-04-16 · 2y ago zip
2.10.1 2024-04-02 · 2y ago zip
2.10 2024-04-01 · 2y ago zip
2.9.14 2024-03-12 · 2y ago zip
2.9.13 2024-02-28 · 2y ago zip
2.9.12 2024-02-20 · 2y ago zip
2.9.11 2024-02-19 · 2y ago zip
2.9.10 2024-01-23 · 2y ago zip
2.9.9 2023-12-21 · 2y ago zip
2.9.8 2023-12-20 · 2y ago zip
2.9.7 2023-11-22 · 2y ago zip
2.9.6 2023-11-15 · 2y ago zip
2.9.5 2023-11-09 · 2y ago zip
2.9.4 2023-10-24 · 2y ago zip
2.9.3 2023-10-12 · 2y ago zip
2.9.2 2023-10-10 · 2y ago zip
2.9.1 2023-10-05 · 2y ago zip
2.9 2023-10-03 · 2y ago zip
2.8.23 2023-09-25 · 2y ago zip
2.8.22 2023-09-14 · 2y ago zip
2.8.21 2023-08-28 · 2y ago zip
2.8.20 2023-08-07 · 2y ago zip
2.8.19 2023-07-06 · 2y ago zip
2.8.18 2023-05-16 · 3y ago zip
2.8.17 2023-04-19 · 3y ago zip
2.8.16 2023-04-12 · 3y ago zip
2.8.15 2023-04-11 · 3y ago zip
2.8.14 2023-03-15 · 3y ago zip
2.8.13 2023-02-22 · 3y ago zip
2.8.12 2023-02-14 · 3y ago zip
2.8.11 2023-01-23 · 3y ago zip
2.8.10 2022-12-27 · 3y ago zip
2.8.9 2022-12-23 · 3y ago zip
2.8.8 2022-12-15 · 3y ago zip
2.8.6 2022-12-02 · 3y ago zip
2.8.5 2022-11-30 · 3y ago zip
2.8.4 2022-11-16 · 3y ago zip
2.8.3 2022-11-01 · 3y ago zip
2.8.2 2022-10-20 · 3y ago zip
2.8.1 2022-09-27 · 3y ago zip
2.8 2022-09-16 · 3y ago zip
2.7.8 2022-09-02 · 3y ago zip
2.7.7 2022-09-02 · 3y ago zip
2.7.6 2022-08-30 · 3y ago zip
2.7.5 2022-08-26 · 3y ago zip
2.7.4 2022-08-08 · 3y ago zip
2.7.3 2022-08-03 · 3y ago zip
2.7.2 2022-07-29 · 3y ago zip
2.7.1 2022-07-26 · 3y ago zip
2.7 2022-07-25 · 3y ago zip
2.6.11 2022-07-25 · 3y ago zip
2.6.10 2022-06-27 · 3y ago zip
2.6.9 2022-05-31 · 3y ago zip
2.6.8 2022-05-25 · 3y ago zip
2.6.7 2022-05-13 · 4y ago zip
2.6.6 2022-05-02 · 4y ago zip
2.6.5 2022-04-20 · 4y ago zip
2.6.4 2022-04-19 · 4y ago zip
2.6.3 2022-04-13 · 4y ago zip
2.6.2 2022-04-08 · 4y ago zip
2.6.1 2022-04-05 · 4y ago zip
2.6 2022-04-04 · 4y ago zip
2.5.8 2022-03-28 · 4y ago zip
2.5.7 2022-03-14 · 4y ago zip
2.5.6 2022-03-02 · 4y ago zip
2.5.5 2022-03-01 · 4y ago zip
2.5.4 2022-02-15 · 4y ago zip