WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#49207 closed defect (bug) (invalid)

About alleged security breach in WPGens Refer a Friend plugin. I was wrong. Plugins were taken out of marketplace. They should be reinstated.

Reported by: becosfx Owned by:
Milestone: Priority: normal
Severity: major Version:
Component: Plugins Keywords:
Focuses: Cc:

Description (last modified by desrosj)

Dear Sirs,

In regards to the red flag raised against WPGens Refer a Friend plugin, I think I was in error, and that is not a correct claim. This was the post that is now removed: https://wordpress.org/support/topic/security-breach-wpgenss-refer-a-friend-for-wc-sets-up-backdoor-user-in-db/?view=all#post-12328496

I will explain the situation below:

  1. I use Hotjar. A recording showed a login of a user without a name. This is the recording: removed . After login, in the upper right corner, the user is shown logged in as (CUSTOMER) without a name. That was the red flag.
  2. On internal verification, the user removed and associated email removed were not in the user table like all other users, but in the wp_wc_customer_lookup table; no password assigned to this user. Basically I don't know how the WordPress login is even possible, without a password?!... That raised another red flag.
  3. At present website setup, a user cannot be created and not be present in the user table, even if it is canceling a payment. The order is also displayed afterward anyway, as canceled or pending payment. Such a created user is also present and visible. So, it is impossible to have a log in from a shadow user, without seeing their action results. I drew the conclusion goca17 is a shadow user. That was another flag.
  4. Because my mailbox was full exactly on that day when I was asking answers from the developer, I did not receive any of his emails for more hours and I thought he is ducking. That is the reason I panicked and escalated into informing WordPress and Wordfence about what I had thought to be a security breach. This was simply complicating the understanding of facts.

5. It is true that in February last year I the developer (Goran) to check the plugin on my website, and that is the time the user was registered in the database. This is proof that I am wrong in my claim.

I assume responsibility for not remembering the fact that I invited the developer to check the plugin on my website, at the time. I found that archived email, and that is the proof I am wrong. I didn't recall what happened one year ago.

I don't understand how that user was registered and is not showed in the users' database, and allow logging in; this might be a WooCommerce bug.

Everything is a miscommunication layered on what appears as a bug. I understand that WPGens's plugins were taken down in the marketplace. That it is a consequence of raising my red flag against his software. They should be reinstated. I hope they will be as soon as possible.

It is not uncommon to find software harboring backdoor exploits. I receive alerts from Wordfence weekly, indicating plugins that exploit vulnerabilities to get access to other computers. In this context, I acted.

This is my public apology. It was not my intention to harm WPGens just because. I thought I was the victim of a user attack on the website, and that was the reason for my action.

I am sincerely apologizing to Goran from WPGens, and I am asking you to reinstate his plugins in the marketplace.

Regards,

  1. Barac

Change History (1)

#1 @desrosj
2 years ago

  • Description modified (diff)
  • Keywords close removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from assigned to closed

Hi @becosfx,

Welcome to Trac!

This Trac instance is for tasks related to the WordPress Core software. If a plugin was removed from wordpress.org because of something you reported, then this is something that you would need to take up with the plugin team by emailing them at plugins@….

Note: See TracTickets for help on using tickets.