WP Restaurant Price List

wp-restaurant-price-list · by marcodedo · wordpress.org ↗ · SVN ↗
Active installs
500
Current version
1.4.1
Added
2019-08-27
Last updated
2023-11-20 (2y ago)
First seen by beacon
2mo ago
Total downloads
9,822

Statistics

2024-06-16 → 2026-06-15 · 730 days
Downloads today
1
7-day total 23
Week over week
▲ +15%
vs prior 7 days
30-day trend
flat
▼ -7% MoM
Abandonment
●●○○○
no update in >1yr; install base on one version
Downloads/day Linear trend
1296302024-062024-102025-022025-062025-102026-022026-06
1296302026-032026-042026-042026-052026-052026-06
1186302026-052026-052026-052026-062026-062026-06

Active versions

1.4
1.4 · 97.2%1.3 · 2.9%

Ratings

5★
10
4★
0
3★
0
2★
1
1★
0

Support: 0/0 resolved

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · metabox_library_legacy_updater_fp 2026-05-08 09:56:54 (1mo ago)
Slugwp-restaurant-price-list
Patternunserialize_after_remote_call
Kindbuiltin
Version1.4.1
Hit count1
First hit
File
assets/meta-box/inc/update/checker.php
Line
204
Snippet
L196: $request = wp_remote_post( → L204: return $response ? @unserialize( $response ) : false;
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "wp-restaurant-price-list",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.4.1",
    "hit_count": 1,
    "first_hit": {
        "file": "assets/meta-box/inc/update/checker.php",
        "line": 204,
        "snippet": "L196: $request = wp_remote_post(  \u2192  L204: return $response ? @unserialize( $response ) : false;"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to wp-restaurant-price-list on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
marcodedo 2010-08-23 36 2019-08-27 · r2146188 2023-11-20 · r2999024
plugin-master 2007-03-09 1 2019-08-26 · r2145869 2019-08-26 · r2145869

Readme contributors (3)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
marcodedo 2010-08-23 36 commits Active
MagentaComunicazione 2022-08-17 Active
themeinthebox 2017-02-14 Active