id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,focuses 49207,About alleged security breach in WPGens Refer a Friend plugin. I was wrong. Plugins were taken out of marketplace. They should be reinstated.,becosfx,,"Dear Sirs, **In regards to the red flag raised against WPGens Refer a Friend plugin, I think I was in error, and that is not a correct claim. This was the post that is now removed: https://wordpress.org/support/topic/security-breach-wpgenss-refer-a-friend-for-wc-sets-up-backdoor-user-in-db/?view=all#post-12328496** I will explain the situation below: 1. I use Hotjar. A recording showed a login of a user without a name. This is the recording: ''removed'' . After login, in the upper right corner, the user is shown logged in as (CUSTOMER) without a name. That was the red flag. 2. On internal verification, the user ''removed'' and associated email ''removed'' were not in the user table like all other users, but in the ''wp_wc_customer_lookup table''; no password assigned to this user. Basically I don't know how the WordPress login is even possible, without a password?!... That raised another red flag. 3. At present website setup, a user cannot be created and not be present in the user table, even if it is canceling a payment. The order is also displayed afterward anyway, as ''canceled'' or ''pending payment''. Such a created user is also present and visible. So, it is impossible to have a log in from a shadow user, without seeing their action results. ''I drew the conclusion goca17 is a shadow user.'' That was another flag. 4. Because my mailbox was full exactly on that day when I was asking answers from the developer, I did not receive any of his emails for more hours and I thought he is ducking. That is the reason I panicked and escalated into informing WordPress and Wordfence about what I had thought to be a security breach. This was simply complicating the understanding of facts. **5. It is true that in February last year I the developer (Goran) to check the plugin on my website, and that is the time the user was registered in the database. This is proof that I am wrong in my claim.** **I assume responsibility for not remembering the fact that I invited the developer to check the plugin on my website, at the time. I found that archived email, and that is the proof I am wrong. I didn't recall what happened one year ago.** I don't understand how that user was registered and is not showed in the users' database, and allow logging in; **this might be a WooCommerce bug.** **Everything is a miscommunication layered on what appears as a bug. I understand that WPGens's plugins were taken down in the marketplace. That it is a consequence of raising my red flag against his software. They should be reinstated. I hope they will be as soon as possible.** It is not uncommon to find software harboring backdoor exploits. I receive alerts from Wordfence weekly, indicating plugins that exploit vulnerabilities to get access to other computers. In this context, I acted. This is my public apology. It was not my intention to harm WPGens just because. I thought I was the victim of a user attack on the website, and that was the reason for my action. **I am sincerely apologizing to Goran from WPGens, and I am asking you to reinstate his plugins in the marketplace.** Regards, C. Barac",defect (bug),closed,normal,,Plugins,,major,invalid,,,