Jetpack VaultPress

{
    "slug": "vaultpress",
    "finding_count": 17,
    "findings": [
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "class.vaultpress-database.php",
            "line": 134,
            "snippet": "$wheresql = ' WHERE ' . base64_decode($where);",
            "confidence": "medium"
        },
        {
            "pattern": "eval_call",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 1863,
            "snippet": "$syntax_check = @eval( 'return true;' . $code );",
            "confidence": "medium"
        },
        {
            "pattern": "eval_call",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 1866,
            "snippet": "$this->response( eval( $code . ';' ) );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 454,
            "snippet": "$messages = base64_decode( $response ); // phpcs:ignore WordPress.PHP.DiscouragedPHPFunctions.obfuscation_base64_decode",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 889,
            "snippet": "$response = base64_decode( $this->contact_service( 'plugin_ui' ) );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 1792,
            "snippet": "$_GET['action'] = base64_decode( $_GET['action'] );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 1803,
            "snippet": "$_POST[ base64_decode( $idx ) ] = base64_decode( $val );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 1811,
            "snippet": "$_POST[ base64_decode( $idx ) ] = str_rot13( $val );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 2051,
            "snippet": "$query = @base64_decode( $_POST['query'] );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 2090,
            "snippet": "$bdb->attach( base64_decode( $_POST['table'] ), $parse_create_table );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 2098,
            "snippet": "$this->response( $bdb->diff( unserialize( base64_decode( $signatures ) ) ) );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 2117,
            "snippet": "$bdb->attach( base64_decode( $_POST['table'] ) );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 2209,
            "snippet": "$key = '_vp_config_' . base64_decode( $_POST['key'] );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 2217,
            "snippet": "$key = '_vp_config_' . base64_decode( $_POST['key'] );",
            "confidence": "medium"
        },
        {
            "pattern": "base64_decode",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 2226,
            "snippet": "$val = maybe_unserialize( base64_decode( $_POST['val'] ) );",
            "confidence": "medium"
        }
    ],
    "resolved_sha": "812d3aec9c2954ba133463bd3a72f9313cb2df7b"
}

{
    "slug": "vaultpress",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "4.0.7",
    "hit_count": 1,
    "first_hit": {
        "file": "vaultpress.php",
        "line": 1516,
        "snippet": "L1512: $r = wp_remote_get( $url=sprintf( \"%s://%s/%s?cidr_ranges=1\", $protocol, $hostname, $pa  \u2192  L1516: $data = @unserialize( wp_remote_retrieve_body( $r ) );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

{
    "slug": "vaultpress",
    "previous_version": "4.0.7",
    "current_version": "4.0.7",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 1516,
            "snippet": "L1512: $r = wp_remote_get( $url=sprintf( \"%s://%s/%s?cidr_ranges=1\", $protocol, $hostname, $pa  \u2192  L1516: $data = @unserialize( wp_remote_retrieve_body( $r ) );",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

{
    "slug": "vaultpress",
    "committer_slug": "benedictsinger",
    "committer_display_name": "benedictsinger",
    "committer_employer": null,
    "committer_member_since": "2015-10-15",
    "committer_first_commit": "2016-03-24 20:48:24",
    "committer_commit_count": 24,
    "plugin_listed_author": "automattic",
    "earliest_plugin_commit": "2013-06-24 20:07:20",
    "plugin_age_at_join_days": 1004,
    "committer_age_at_join_days": 161,
    "active_installs": 10000
}