Critical code_pattern
Resolved · fp_pdf_invoice_attachment_not_executed
2026-07-02 12:40:05 (11h ago)
| Slug | woopop-electronic-invoice-free |
|---|---|
| Pattern | decode_write_dropper |
| Kind | builtin |
| Version | 6.9.5 |
| Hit count | 1 |
| First hit |
|
| Explanation | a runtime decode primitive (`gzuncompress`/`gzinflate`/`gzdecode`/`base64_decode`) feeds a filesystem write (`fwrite`/`file_put_contents`) which is then `include`d/`require`d as a variable path — the textbook dropper shape: ship an encoded payload as data, decode it to disk at activation/admin-init, and execute it. The siteguarding burner `wp-plugin-management` (audit #43) used exactly this: `fwrite($fp, gzuncompress($c)); include($filename);` in its `register_activation_hook` to plant `siteguarding_tools.php`. Near-zero FP because legit caching writes decoded data but never `include`s a computed path it just wrote. |
View raw JSON
{
"slug": "woopop-electronic-invoice-free",
"pattern": "decode_write_dropper",
"kind": "builtin",
"version": "6.9.5",
"hit_count": 1,
"first_hit": {
"file": "addon/to/aruba/src/Functions/Api.php",
"line": 797,
"snippet": "$pdfFile = base64_decode($responseData->pdfFile);"
},
"explanation": "a runtime decode primitive (`gzuncompress`/`gzinflate`/`gzdecode`/`base64_decode`) feeds a filesystem write (`fwrite`/`file_put_contents`) which is then `include`d/`require`d as a variable path \u2014 the textbook dropper shape: ship an encoded payload as data, decode it to disk at activation/admin-init, and execute it. The siteguarding burner `wp-plugin-management` (audit #43) used exactly this: `fwrite($fp, gzuncompress($c)); include($filename);` in its `register_activation_hook` to plant `siteguarding_tools.php`. Near-zero FP because legit caching writes decoded data but never `include`s a computed path it just wrote."
}