Opened 5 years ago
Closed 5 years ago
#49207 closed defect (bug) (invalid)
About alleged security breach in WPGens Refer a Friend plugin. I was wrong. Plugins were taken out of marketplace. They should be reinstated.
Reported by: | becosfx | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | |
Component: | Plugins | Keywords: | |
Focuses: | Cc: |
Description (last modified by )
Dear Sirs,
In regards to the red flag raised against WPGens Refer a Friend plugin, I think I was in error, and that is not a correct claim. This was the post that is now removed: https://wordpress.org/support/topic/security-breach-wpgenss-refer-a-friend-for-wc-sets-up-backdoor-user-in-db/?view=all#post-12328496
I will explain the situation below:
- I use Hotjar. A recording showed a login of a user without a name. This is the recording: removed . After login, in the upper right corner, the user is shown logged in as (CUSTOMER) without a name. That was the red flag.
- On internal verification, the user removed and associated email removed were not in the user table like all other users, but in the wp_wc_customer_lookup table; no password assigned to this user. Basically I don't know how the WordPress login is even possible, without a password?!... That raised another red flag.
- At present website setup, a user cannot be created and not be present in the user table, even if it is canceling a payment. The order is also displayed afterward anyway, as canceled or pending payment. Such a created user is also present and visible. So, it is impossible to have a log in from a shadow user, without seeing their action results. I drew the conclusion goca17 is a shadow user. That was another flag.
- Because my mailbox was full exactly on that day when I was asking answers from the developer, I did not receive any of his emails for more hours and I thought he is ducking. That is the reason I panicked and escalated into informing WordPress and Wordfence about what I had thought to be a security breach. This was simply complicating the understanding of facts.
5. It is true that in February last year I the developer (Goran) to check the plugin on my website, and that is the time the user was registered in the database. This is proof that I am wrong in my claim.
I assume responsibility for not remembering the fact that I invited the developer to check the plugin on my website, at the time. I found that archived email, and that is the proof I am wrong. I didn't recall what happened one year ago.
I don't understand how that user was registered and is not showed in the users' database, and allow logging in; this might be a WooCommerce bug.
Everything is a miscommunication layered on what appears as a bug. I understand that WPGens's plugins were taken down in the marketplace. That it is a consequence of raising my red flag against his software. They should be reinstated. I hope they will be as soon as possible.
It is not uncommon to find software harboring backdoor exploits. I receive alerts from Wordfence weekly, indicating plugins that exploit vulnerabilities to get access to other computers. In this context, I acted.
This is my public apology. It was not my intention to harm WPGens just because. I thought I was the victim of a user attack on the website, and that was the reason for my action.
I am sincerely apologizing to Goran from WPGens, and I am asking you to reinstate his plugins in the marketplace.
Regards,
- Barac
Hi @becosfx,
Welcome to Trac!
This Trac instance is for tasks related to the WordPress Core software. If a plugin was removed from wordpress.org because of something you reported, then this is something that you would need to take up with the plugin team by emailing them at plugins@….