YARPP – Yet Another Related Posts Plugin

yet-another-related-posts-plugin · by jeffparker · wordpress.org ↗ · SVN ↗

Active installs: 100k+
Current version: 5.30.11
Added: 2008-01-02
Last updated: 2024-11-11 (1y ago)
First seen by beacon: 11d ago
Total downloads: 7,961,165

Historical audits (1)

Past investigations, all resolved. No current threat.

Benign Audit #17 baseline 1.0 → head 5.30.11 2d ago

Alerts (0)

No open alerts.

Show 2 resolved alerts

Critical code_pattern Resolved · audit:benign 2026-04-30 11:05:55 (2d ago)

Slug	yet-another-related-posts-plugin
Pattern	`unserialize_after_remote_call`
Kind	`builtin`
Version	`5.30.11`
Hit count	1
First hit	File `classes/YARPP_Core.php` Line 2,112 Snippet L2105: $remote = wp_remote_post( "https://yarpp.org/checkversion.php?format=php&version={$vers → L2112: if ( $result = @unserialize( $remote['body'] ) ) {
Explanation	a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.

View raw JSON

{
    "slug": "yet-another-related-posts-plugin",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "5.30.11",
    "hit_count": 1,
    "first_hit": {
        "file": "classes/YARPP_Core.php",
        "line": 2112,
        "snippet": "L2105: $remote  = wp_remote_post( \"https://yarpp.org/checkversion.php?format=php&version={$vers  \u2192  L2112: if ( $result = @unserialize( $remote['body'] ) ) {"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}

Critical code_scan_delta Resolved · audit:benign 2026-04-30 06:35:03 (2d ago)

Slug yet-another-related-posts-plugin

Previous version 5.30.11

Current version 5.30.11

New findings

Pattern	Kind	File	Line	Snippet	Confidence
`unserialize_after_remote_call`	`builtin`	`classes/YARPP_Core.php`	2,112	L2105: $remote = wp_remote_post( "https://yarpp.org/checkversion.php?format=php&version={$vers → L2112: if ( $result = @unserialize( $remote['body'] ) ) {	`high`

New finding count 1

View raw JSON

{
    "slug": "yet-another-related-posts-plugin",
    "previous_version": "5.30.11",
    "current_version": "5.30.11",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "classes/YARPP_Core.php",
            "line": 2112,
            "snippet": "L2105: $remote  = wp_remote_post( \"https://yarpp.org/checkversion.php?format=php&version={$vers  \u2192  L2112: if ( $result = @unserialize( $remote['body'] ) ) {",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

SVN committers (3)

Accounts with actual commit access to yet-another-related-posts-plugin on plugins.svn.wordpress.org, reconstructed from svn log. This is the list that matters for ownership changes — not the readme contributors.

Committer	Member since	Commits	First commit	Latest commit
mitcho (Michael Yoshitaka Erlewine)	2007-11-19	273	2012-03-03 · r513797	2013-06-14 · r726634
YARPP	2013-06-18	169	2013-09-17 · r774117	2024-11-11 · r3185944
Michael Nelson	2012-01-04	31	2021-02-08 · r2470995	2021-04-29 · r2523187

Readme contributors (2)

Names the plugin's readme declares as contributors. A soft signal — anyone can be listed. The SVN access column is the ground-truth cross-reference: does this contributor actually commit code?

Contributor	Member since	SVN access	Status
YARPP	2013-06-18	169 commits	Active
Shareaholic	2010-01-29	—	Active

Versions (100 most recent)

Version	Released	Download
5.30.11	2024-11-11 · 1y ago	zip
5.30.10	2024-02-17 · 2y ago	zip
5.30.9	2023-11-21 · 2y ago	zip
5.30.8	2023-11-21 · 2y ago	zip
5.30.7	2023-11-20 · 2y ago	zip
5.30.6	2023-08-09 · 2y ago	zip
5.30.5	2023-07-18 · 2y ago	zip
5.30.4	2023-07-17 · 2y ago	zip
5.30.3	2023-04-28 · 3y ago	zip
5.30.2	2023-01-29 · 3y ago	zip
5.30.1	2022-11-08 · 3y ago	zip
5.27.8	2022-07-05 · 3y ago	zip
5.27.7	2021-10-29 · 4y ago	zip
5.27.6	2021-10-12 · 4y ago	zip
5.27.5	2021-09-15 · 4y ago	zip
5.27.4	2021-08-25 · 4y ago	zip
5.27.3	2021-08-16 · 4y ago	zip
5.27.2	2021-08-12 · 4y ago	zip
5.27.1	2021-08-03 · 4y ago	zip
5.27.0	2021-07-20 · 4y ago	zip
5.26.0	2021-07-15 · 4y ago	zip
5.25.0	2021-06-23 · 4y ago	zip
5.24.0	2021-06-21 · 4y ago	zip
5.1.7	2021-06-02 · 4y ago	zip
5.23.0	2021-06-02 · 4y ago	zip
5.22.0	2021-05-24 · 4y ago	zip
5.21.0	2021-05-14 · 4y ago	zip
5.20.0	2021-05-06 · 4y ago	zip
5.19.0	2021-04-29 · 5y ago	zip
5.18.2	2021-04-19 · 5y ago	zip
5.18.1	2021-04-19 · 5y ago	zip
5.17.0	2021-04-06 · 5y ago	zip
5.16.0	2021-03-29 · 5y ago	zip
5.16.1	2021-03-29 · 5y ago	zip
5.15.3	2021-03-15 · 5y ago	zip
5.15.2	2021-03-12 · 5y ago	zip
5.15.1	2021-03-11 · 5y ago	zip
5.14.0	2021-03-09 · 5y ago	zip
5.13.0	2021-03-01 · 5y ago	zip
5.12.0	2021-02-22 · 5y ago	zip
5.11.0	2021-02-08 · 5y ago	zip
3.2b3	2021-02-03 · 5y ago	zip
3.2b4	2021-02-03 · 5y ago	zip
3.2.1	2021-02-03 · 5y ago	zip
3.2.1b1	2021-02-03 · 5y ago	zip
3.2.1b2	2021-02-03 · 5y ago	zip
3.2.1b3	2021-02-03 · 5y ago	zip
3.2.1b4	2021-02-03 · 5y ago	zip
3.2.3b1	2021-02-03 · 5y ago	zip
3.2.3b2	2021-02-03 · 5y ago	zip
3.2.3b3	2021-02-03 · 5y ago	zip
3.2.2b1	2021-02-03 · 5y ago	zip
3.2.2	2021-02-03 · 5y ago	zip
3.2	2021-02-03 · 5y ago	zip
5.10.2	2020-11-23 · 5y ago	zip
5.10.1	2020-10-23 · 5y ago	zip
5.10.0	2020-10-22 · 5y ago	zip
5.9.0	2020-09-22 · 5y ago	zip
5.8.0	2020-09-08 · 5y ago	zip
5.7.0	2020-08-18 · 5y ago	zip
5.6.0	2020-08-13 · 5y ago	zip
5.5.0	2020-08-06 · 5y ago	zip
5.4.0	2020-08-03 · 5y ago	zip
5.3.0	2020-07-29 · 5y ago	zip
5.2.2	2020-07-21 · 5y ago	zip
5.2.1	2020-07-20 · 5y ago	zip
5.2.0	2020-07-20 · 5y ago	zip
5.1.8	2020-06-25 · 5y ago	zip
5.1.9	2020-06-25 · 5y ago	zip
5.1.6	2020-05-15 · 5y ago	zip
5.1.5	2020-05-11 · 5y ago	zip
5.1.4	2020-05-11 · 5y ago	zip
5.1.3	2020-04-07 · 6y ago	zip
5.1.2	2019-11-06 · 6y ago	zip
5.1.1	2019-09-23 · 6y ago	zip
5.1.0	2019-07-09 · 6y ago	zip
5.0.1	2019-07-08 · 6y ago	zip
5.0.0	2019-07-01 · 6y ago	zip
4.6	2019-07-01 · 6y ago	zip
4.5	2019-05-18 · 6y ago	zip
4.2.6	2019-04-26 · 7y ago	zip
4.4	2017-01-31 · 9y ago	zip
4.3.6	2017-01-03 · 9y ago	zip
4.3.5	2017-01-03 · 9y ago	zip
4.3.4	2017-01-03 · 9y ago	zip
4.3.3	2016-12-27 · 9y ago	zip
4.3.2	2016-12-20 · 9y ago	zip
4.3.1	2016-01-15 · 10y ago	zip
4.2.5	2015-05-14 · 10y ago	zip
4.2.4	2014-09-23 · 11y ago	zip
4.2.3	2014-09-23 · 11y ago	zip
4.2.2	2014-05-09 · 11y ago	zip
4.2.1	2014-05-08 · 11y ago	zip
4.2	2014-05-08 · 11y ago	zip
4.1.2	2014-03-17 · 12y ago	zip
4.1.1	2013-12-12 · 12y ago	zip
4.1	2013-12-11 · 12y ago	zip
4.0.8	2013-10-18 · 12y ago	zip
4.0.7	2013-10-14 · 12y ago	zip
4.0.6	2013-09-17 · 12y ago	zip