Jetpack VaultPress

vaultpress · by automattic · wordpress.org ↗ · SVN ↗

Active installs: 10k+
Current version: 4.0.7
Added: 2013-06-25
Last updated: 2026-04-10 (21d ago)
First seen by beacon: 10d ago
Total downloads: 2,038,094

Alerts (0)

No open alerts.

Show 3 resolved alerts

Critical code_pattern Resolved · benign_architectural_concern 2026-04-30 15:25:29 (1d ago)

Slug	vaultpress
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`4.0.7`
Hit count	1
First hit	File `vaultpress.php` Line 1,516 Snippet L1512: $r = wp_remote_get( $url=sprintf( "%s://%s/%s?cidr_ranges=1", $protocol, $hostname, $pa → L1516: $data = @unserialize( wp_remote_retrieve_body( $r ) );
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "vaultpress",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "4.0.7",
    "hit_count": 1,
    "first_hit": {
        "file": "vaultpress.php",
        "line": 1516,
        "snippet": "L1512: $r = wp_remote_get( $url=sprintf( \"%s://%s/%s?cidr_ranges=1\", $protocol, $hostname, $pa  \u2192  L1516: $data = @unserialize( wp_remote_retrieve_body( $r ) );"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Critical code_scan_delta Resolved · false_positive_cdn_known_good 2026-04-30 09:12:33 (2d ago)

Slug vaultpress

Previous version 4.0.7

Current version 4.0.7

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`vaultpress.php`	1,516	L1512: $r = wp_remote_get( $url=sprintf( "%s://%s/%s?cidr_ranges=1", $protocol, $hostname, $pa → L1516: $data = @unserialize( wp_remote_retrieve_body( $r ) );	`high`

New finding count 1

View raw JSON

{
    "slug": "vaultpress",
    "previous_version": "4.0.7",
    "current_version": "4.0.7",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "vaultpress.php",
            "line": 1516,
            "snippet": "L1512: $r = wp_remote_get( $url=sprintf( \"%s://%s/%s?cidr_ranges=1\", $protocol, $hostname, $pa  \u2192  L1516: $data = @unserialize( wp_remote_retrieve_body( $r ) );",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

Medium committer_younger_than_plugin Resolved · benign_company_employee 2026-04-27 10:32:31 (5d ago)

Slug	vaultpress
Committer slug	`benedictsinger`
Committer display name	`benedictsinger`
Committer employer	—
Committer member since	2015-10-15
Committer first commit	2016-03-24 20:48:24
Committer commit count	24
Plugin listed author	`automattic`
Earliest plugin commit	2013-06-24 20:07:20
Plugin age at join days	1,004
Committer age at join days	161
Active installs	10,000

View raw JSON

{
    "slug": "vaultpress",
    "committer_slug": "benedictsinger",
    "committer_display_name": "benedictsinger",
    "committer_employer": null,
    "committer_member_since": "2015-10-15",
    "committer_first_commit": "2016-03-24 20:48:24",
    "committer_commit_count": 24,
    "plugin_listed_author": "automattic",
    "earliest_plugin_commit": "2013-06-24 20:07:20",
    "plugin_age_at_join_days": 1004,
    "committer_age_at_join_days": 161,
    "active_installs": 10000
}

SVN committers (21)

Accounts with actual commit access to vaultpress on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
Mark (a11n)	2013-06-25	91	2013-10-10 · r785672	2019-03-19 · r2053117
briancolinger	2009-01-31	66	2013-07-02 · r735231	2019-12-14 · r2212182
Alex Concha	2005-01-09	30	2013-06-26 · r731962	2015-03-16 · r1113817
benedictsinger	2015-10-15	24	2016-03-24 · r1378268	2017-12-15 · r1787826
Jetpack	2022-08-17	22	2025-01-10 · r3220346	2026-04-10 · r3503602
Sami Falah	2018-06-07	20	2022-07-06 · r2752766	2024-02-21 · r3039445
Alex Mills	2003-10-21	16	2015-11-06 · r1280844	2016-08-08 · r1469745
Jeremy Herve	2010-08-18	14	2019-07-09 · r2120238	2023-03-27 · r2887757
George Stephanis	2010-09-21	13	2020-08-05 · r2353267	2020-08-07 · r2354794
Kelly Choyce-Dwan	2009-02-01	9	2015-02-25 · r1099574	2015-09-15 · r1246027
Joseph Scott	2004-05-05	6	2014-07-09 · r945708	2014-09-10 · r986778
miguelxavierpenha Young account	2021-10-07	6	2021-10-07 · r2611140	2021-10-11 · r2612656
bradshawtm	2019-01-10	6	2025-04-07 · r3267998	2026-04-10 · r3503608
Rafael Agostini	2013-04-11	5	2022-11-15 · r2818464	2022-11-17 · r2819880
shaunandrews	2006-07-13	3	2013-06-25 · r731682	2013-07-01 · r734763
Rich Collier	2016-06-28	3	2018-05-04 · r1868889	2018-08-25 · r1930234
Automattic	2009-11-05	2	2013-06-25 · r731365	2016-04-14 · r1395282
plugin-master	2007-03-09	1	2013-06-24 · r731108	2013-06-24 · r731108
Michael Arestad	2011-09-27	1	2013-12-17 · r823519	2013-12-17 · r823519
Derek Smart	2014-07-13	1	2019-07-12 · r2121889	2019-07-12 · r2121889
Brandon Kraft	2011-04-29	1	2019-12-09 · r2208858	2019-12-09 · r2208858

Readme contributors (19)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
Mark (a11n)	2013-06-25	91 commits	Active
briancolinger	2009-01-31	66 commits	Active
Alex Concha	2005-01-09	30 commits	Active
Alex Mills	2003-10-21	16 commits	Active
Jeremy Herve	2010-08-18	14 commits	Active
George Stephanis	2010-09-21	13 commits	Active
Joseph Scott	2004-05-05	6 commits	Active
miguelxavierpenha	2021-10-07	6 commits	Active
Rafael Agostini	2013-04-11	5 commits	Active
Rich Collier	2016-06-28	3 commits	Active
shaunandrews	2006-07-13	3 commits	Active
Automattic	2009-11-05	2 commits	Active
Derek Smart	2014-07-13	1 commits	Active
annezazu	2014-04-16	—	Active
apokalyptik	2007-03-02	—	Active
Brad Jorsch	2020-09-28	—	Active
rachelsquirrel	2014-10-06	—	Active
sdixon194	2021-01-27	—	Active
William Viana	2021-08-12	—	Active

Versions (97 most recent)

Version	Released	Download
4.0.7	2026-04-10 · 21d ago	zip
4.0.6	2025-11-21 · 5mo ago	zip
4.0.4	2025-11-12 · 5mo ago	zip
4.0.3	2025-09-09 · 7mo ago	zip
4.0.2	2025-06-09 · 10mo ago	zip
4.0.1	2025-04-07 · 1y ago	zip
4.0.0	2025-01-10 · 1y ago	zip
3.0.0	2024-02-21 · 2y ago	zip
2.2.5	2024-02-07 · 2y ago	zip
2.2.4	2023-07-06 · 2y ago	zip
2.2.3	2023-03-27 · 3y ago	zip
2.2.2	2022-11-17 · 3y ago	zip
2.2.0	2022-11-15 · 3y ago	zip
2.2.1	2022-05-19 · 3y ago	zip
2.2.0-beta	2021-10-07 · 4y ago	zip
2.1.4	2020-08-07 · 5y ago	zip
2.1.3	2020-08-06 · 5y ago	zip
2.1.2	2020-08-05 · 5y ago	zip
2.1.1	2019-12-14 · 6y ago	zip
2.1	2019-12-09 · 6y ago	zip
2.1-alpha	2019-11-27 · 6y ago	zip
2.0.1	2019-07-12 · 6y ago	zip
2.0	2019-07-09 · 6y ago	zip
1.9.10	2019-04-04 · 7y ago	zip
1.9.9	2019-04-02 · 7y ago	zip
1.9.8	2019-02-07 · 7y ago	zip
1.9.7	2018-12-11 · 7y ago	zip
1.9.6	2018-12-05 · 7y ago	zip
1.9.5	2018-02-02 · 8y ago	zip
1.9.4	2017-12-15 · 8y ago	zip
1.9.3	2017-11-09 · 8y ago	zip
1.9.2	2017-07-06 · 8y ago	zip
1.9.1	2017-06-29 · 8y ago	zip
1.9.0	2017-06-05 · 8y ago	zip
1.8.9	2017-05-08 · 8y ago	zip
1.8.8	2017-03-06 · 9y ago	zip
1.8.7	2017-03-06 · 9y ago	zip
1.8.6	2017-01-26 · 9y ago	zip
1.8.5	2016-08-08 · 9y ago	zip
1.8.4	2016-07-28 · 9y ago	zip
1.8.3	2016-05-26 · 9y ago	zip
1.8.2	2016-05-11 · 9y ago	zip
1.8.1	2016-04-14 · 10y ago	zip
1.8.0	2016-03-08 · 10y ago	zip
1.7.9	2016-02-24 · 10y ago	zip
1.7.8	2015-12-15 · 10y ago	zip
1.7.7	2015-09-15 · 10y ago	zip
1.7.6	2015-08-14 · 10y ago	zip
1.7.5	2015-06-11 · 10y ago	zip
1.7.4	2015-06-05 · 10y ago	zip
1.7.3	2015-04-28 · 11y ago	zip
1.7.2	2015-04-22 · 11y ago	zip
1.7.1	2015-03-25 · 11y ago	zip
1.7.0	2015-02-10 · 11y ago	zip
1.6.9	2014-12-24 · 11y ago	zip
1.6.8	2014-12-15 · 11y ago	zip
1.6.7	2014-12-01 · 11y ago	zip
1.6.6	2014-11-14 · 11y ago	zip
1.6.5	2014-09-10 · 11y ago	zip
1.6.4	2014-09-03 · 11y ago	zip
1.6.3	2014-07-30 · 11y ago	zip
1.6.2	2014-07-10 · 11y ago	zip
1.6.1	2014-07-01 · 11y ago	zip
1.6	2014-06-27 · 11y ago	zip
1.5.9	2014-06-16 · 11y ago	zip
1.5.8	2014-06-03 · 11y ago	zip
1.5.7	2014-04-11 · 12y ago	zip
1.5.6	2014-04-01 · 12y ago	zip
1.5.5	2014-02-26 · 12y ago	zip
1.5.4	2014-02-25 · 12y ago	zip
1.5.3	2014-02-07 · 12y ago	zip
1.5.2	2013-12-26 · 12y ago	zip
1.5.1	2013-12-16 · 12y ago	zip
1.5	2013-12-11 · 12y ago	zip
1.4.9	2013-10-10 · 12y ago	zip
1.4.8	2013-07-15 · 12y ago	zip
1.4.7	2013-07-02 · 12y ago	zip
1.4.6	2013-06-26 · 12y ago	zip
1.3	2013-06-26 · 12y ago	zip
1.4	2013-06-26 · 12y ago	zip
1.2.7	2013-06-26 · 12y ago	zip
1.2.8	2013-06-26 · 12y ago	zip
1.2.9	2013-06-26 · 12y ago	zip
1.3.1	2013-06-26 · 12y ago	zip
1.3.2	2013-06-26 · 12y ago	zip
1.3.3	2013-06-26 · 12y ago	zip
1.3.4	2013-06-26 · 12y ago	zip
1.3.5	2013-06-26 · 12y ago	zip
1.3.6	2013-06-26 · 12y ago	zip
1.3.7	2013-06-26 · 12y ago	zip
1.3.8	2013-06-26 · 12y ago	zip
1.3.9	2013-06-26 · 12y ago	zip
1.4.1	2013-06-26 · 12y ago	zip
1.4.2	2013-06-26 · 12y ago	zip
1.4.3	2013-06-26 · 12y ago	zip
1.4.4	2013-06-26 · 12y ago	zip
1.4.5	2013-06-26 · 12y ago	zip