Widgets for Google Reviews

wp-reviews-plugin-for-google · by trustindex · wordpress.org ↗ · SVN ↗

Active installs: 900k+
Current version: 13.2.9
Added: 2019-11-13
Last updated: 2026-04-14 (18d ago)
First seen by beacon: 10d ago
Total downloads: 18,049,706

Alerts (0)

No open alerts.

Show 2 resolved alerts

Critical code_pattern Resolved · no_longer_matches 2026-04-24 15:56:44 (7d ago)

Slug	wp-reviews-plugin-for-google
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`13.2.9`
Hit count	1
First hit	File `trustindex-plugin.class.php` Line 7,088 Snippet L7078: $wpResponse = wp_remote_post( → L7088: $wpRepoResponse = unserialize(wp_remote_retrieve_body($wpResponse));
Explanation	a remote HTTP fetch (`wp_remote_*`/`curl_exec`) is followed by `unserialize`/`maybe_unserialize` within the same file — classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. Legit plugins essentially never do this.

View raw JSON

{
    "slug": "wp-reviews-plugin-for-google",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "13.2.9",
    "hit_count": 1,
    "first_hit": {
        "file": "trustindex-plugin.class.php",
        "line": 7088,
        "snippet": "L7078: $wpResponse = wp_remote_post(  \u2192  L7088: $wpRepoResponse = unserialize(wp_remote_retrieve_body($wpResponse));"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*`/`curl_exec`) is followed by `unserialize`/`maybe_unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget used by EP and most WP supply-chain backdoors. Legit plugins essentially never do this."
}

Critical code_scan_delta Resolved · fp_wporg_official_api 2026-04-24 15:43:16 (7d ago)

Slug wp-reviews-plugin-for-google

Previous version 13.2.9

Current version 13.2.9

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`trustindex-plugin.class.php`	7,088	L7078: $wpResponse = wp_remote_post( → L7088: $wpRepoResponse = unserialize(wp_remote_retrieve_body($wpResponse));	`high`

New finding count 1

View raw JSON

{
    "slug": "wp-reviews-plugin-for-google",
    "previous_version": "13.2.9",
    "current_version": "13.2.9",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "trustindex-plugin.class.php",
            "line": 7088,
            "snippet": "L7078: $wpResponse = wp_remote_post(  \u2192  L7088: $wpRepoResponse = unserialize(wp_remote_retrieve_body($wpResponse));",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

SVN committers (2)

Accounts with actual commit access to wp-reviews-plugin-for-google on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
Trustindex	2019-01-17	200	2019-11-13 · r2191352	2026-04-14 · r3505974
plugin-master	2007-03-09	1	2019-11-12 · r2190939	2019-11-12 · r2190939

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
Trustindex	2019-01-17	200 commits	Active

Versions (19 most recent)

Version	Released	Download
13.2.9	2026-04-14 · 18d ago	zip
13.2.8	2026-03-19 · 1mo ago	zip
13.2.7	2026-01-20 · 3mo ago	zip
13.2.6	2026-01-15 · 3mo ago	zip
13.2.5	2025-11-20 · 5mo ago	zip
13.1	2025-09-01 · 8mo ago	zip
13.0	2025-07-24 · 9mo ago	zip
12.9	2025-07-08 · 9mo ago	zip
12.8	2025-06-05 · 11mo ago	zip
12.7.6	2025-05-28 · 11mo ago	zip
12.6.1	2025-03-06 · 1y ago	zip
12.5	2025-01-10 · 1y ago	zip
12.4.7	2024-12-10 · 1y ago	zip
12.3	2024-10-10 · 1y ago	zip
12.2	2024-09-19 · 1y ago	zip
12.1.2	2024-09-02 · 1y ago	zip
12.0	2024-07-23 · 1y ago	zip
11.9	2024-06-25 · 1y ago	zip
10.9.1	2023-10-17 · 2y ago	zip