WP Beacon

Web Server Information

wpheka-web-server-information · by akshayaswaroop · wordpress.org ↗ · SVN ↗
Active installs
20
Current version
1.7
Added
2020-07-29
Last updated
2026-02-12 (3mo ago)
First seen by beacon
1mo ago
Total downloads

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · fp_ipapi_documented_serialized_php_endpoint 2026-06-06 05:51:10 (6d ago)
Slugwpheka-web-server-information
Patternunserialize_after_remote_call
Kindbuiltin
Version1.7
Hit count1
First hit
File
includes/class-wpheka-info-admin-webserver.php
Line
109
Snippet
L109: $query = @unserialize( wp_remote_retrieve_body( wp_remote_get( 'http://ip-api.com/php → L109: $query = @unserialize( wp_remote_retrieve_body( wp_remote_get( 'http://ip-api.com/php
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "wpheka-web-server-information",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "1.7",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/class-wpheka-info-admin-webserver.php",
        "line": 109,
        "snippet": "L109: $query = @unserialize( wp_remote_retrieve_body( wp_remote_get( 'http://ip-api.com/php  \u2192  L109: $query = @unserialize( wp_remote_retrieve_body( wp_remote_get( 'http://ip-api.com/php"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

SVN committers (2)

Accounts with actual commit access to wpheka-web-server-information on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
akshayaswaroop 2017-07-30 15 2020-07-29 · r2348222 2026-02-12 · r3460225
plugin-master 2007-03-09 1 2020-07-28 · r2348041 2020-07-28 · r2348041

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
akshayaswaroop 2017-07-30 15 commits Active
wpheka 2020-04-20 Active

Versions (8 most recent)

Version Released Download
1.7 2026-02-12 · 3mo ago zip
1.6 2025-05-13 · 1y ago zip
1.5 2024-11-30 · 1y ago zip
1.4 2023-08-24 · 2y ago zip
1.3 2022-05-25 · 4y ago zip
1.2 2022-05-24 · 4y ago zip
1.1 2021-08-13 · 4y ago zip
1.0 2020-07-29 · 5y ago zip