wordpress-admin

The package appears to be a legitimate WordPress administration toolkit. I found no clear indicators of intentional malware or obfuscation in the provided fragment. However, the materials contain several high-risk operational security issues: an inline production FTP password, use of plaintext FTP with SSL verification disabled, weak local admin credentials, and storage of API keys in root files. These practices materially increase the chance of credential compromise and unauthorized modification of production content. Treat the content as operationally dangerous until secrets are removed/rotated and secure transport/secret management controls are applied.

No direct signs of malware (no remote exfiltration, backdoor, or obfuscated payload). However, the code contains a significant command injection vulnerability: it constructs shell commands from untrusted inputs and runs them with subprocess.run(..., shell=True) with insufficient escaping. This creates a moderate-to-high security risk depending on execution context. Recommendations: replace shell=True usage by calling subprocess.run with an argument list or use shlex.quote for each interpolated value; validate/allowlist inputs (IDs numeric, slugs restricted); or implement the REST API path to avoid shelling out. Review SITES usage for configuration management and avoid shipping sensitive topology in distributed packages.

No evidence of intentionally malicious code (no backdoor, exfiltration, or obfuscation). However, the module uses subprocess.run(..., shell=True) with user-controlled inputs (post_id and command fragments), which creates a command injection / remote code execution vulnerability. Treat this as a moderate-to-high security risk for supply-chain use: safe to use only after fixing the shell invocation (use argument array or strict validation) or restricting who can call the script. Hardcoded site URLs and container names are informational but not secrets.