WPOSS阿里云对象存储

wposs · by laobuluo · wordpress.org ↗ · SVN ↗
Active installs
1k+
Current version
5.0
Added
2019-04-06
Last updated
2026-06-19 (13d ago)
First seen by beacon
2mo ago
Total downloads
24,357

Statistics

2024-06-16 → 2026-06-15 · 730 days
Downloads today
6
7-day total 68
Week over week
▲ +127%
vs prior 7 days
30-day trend
flat
▼ -11% MoM
Abandonment
○○○○○
healthy
Downloads/day Linear trend
10377522602024-062024-102025-022025-062025-102026-022026-06
15118402026-032026-042026-042026-052026-052026-06
14117402026-052026-052026-052026-062026-062026-06

Active versions

4.95.0other
4.9 · 57.5%5.0 · 28.2%other · 8.2%4.6 · 6.1%

Ratings

5★
5
4★
1
3★
1
2★
0
1★
0

Support: 0/0 resolved

Alerts (0)

No open alerts.

Show 1 resolved alert
Critical code_pattern Resolved · false_positive_legit_ip_use 2026-04-30 15:25:31 (2mo ago)
Slugwposs
Patternhardcoded_ip_url
Kindbuiltin
Version5.0
Hit count1
First hit
File
sdk/aliyun-oss-php-sdk/src/OSS/OssClient.php
Line
2,705
Snippet
const OSS_HOST_TYPE_IP = "ip"; //http://1.1.1.1/bucket/object
Explanationplugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) — legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths.
View raw JSON
{
    "slug": "wposs",
    "pattern": "hardcoded_ip_url",
    "kind": "builtin",
    "version": "5.0",
    "hit_count": 1,
    "first_hit": {
        "file": "sdk/aliyun-oss-php-sdk/src/OSS/OssClient.php",
        "line": 2705,
        "snippet": "const OSS_HOST_TYPE_IP = \"ip\";  //http://1.1.1.1/bucket/object"
    },
    "explanation": "plugin source hardcodes a raw IPv4 URL (e.g. `https://94.156.79.8/...`) \u2014 legitimate plugins use DNS hostnames because IPs change. Hardcoded IPs in plugin code are almost always either dev leftovers or attacker C2 infrastructure. The June 2024 social-warfare keylogger (audit #14) used `https://94.156.79.8/sc-top.js` for the JS payload host, `/AddSites` for victim registration, `/CMSUsers` for filesystem-recon exfil. Operator infrastructure on raw IPs avoids domain registration / RDAP detection paths. Post-filtered to skip RFC1918/loopback/link-local ranges and `vendor/`/`tests/` paths."
}

SVN committers (2)

Accounts with actual commit access to wposs on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer Member since Commits First commit Latest commit
老蒋和他的小伙伴 Young account 2019-03-22 36 2019-04-06 · r2064116 2026-06-19 · r3578581
plugin-master 2007-03-09 1 2019-04-05 · r2064062 2019-04-05 · r2064062

Readme contributors (1)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor Member since SVN access Status
老蒋和他的小伙伴 2019-03-22 36 commits Active

Versions (2 most recent)

Version Released Download
4.9 2026-02-09 · 4mo ago zip
5.0 2026-02-09 · 4mo ago zip