[wp-trac] Re: [WordPress Trac] #5174: If plugin details cleared while activated, "impossible" to deactivate

WordPress Trac wp-trac at lists.automattic.com
Thu Oct 11 14:29:48 GMT 2007

#5174: If plugin details cleared while activated, "impossible" to deactivate
 Reporter:  Viper007Bond    |        Owner:  anonymous
     Type:  defect          |       Status:  new      
 Priority:  lowest          |    Milestone:  2.5      
Component:  Administration  |      Version:  2.3      
 Severity:  normal          |   Resolution:           
 Keywords:  needs-patch     |  
Comment (by santosj):

 If a plugin were going to do that they would just edit the database plugin
 option to where they would never be able to deactivate the plugin and
 force deletion. However, the combination of both could be a problem.

 Lets say User goes to activate and run the application. Finds out that the
 plugin was a little sneaky and is "phoning" home or adding content that
 wasn't agreed upon.

 User goes to deactivate, and on deactivation hook, the plugin readds
 itself to the plugin option activated list and opens itself and does the
 above bug trick.

 For a normal user this might pose a problem. What this needs to take into
 account is that if the User really wanted to remove such a plugin, they
 would only need to remove it, instead of deleting it. If it creates any
 other files, like say in the akismet folder, and activates itself when
 activated the first time, then this would pose a security risk.

 It might pose a greater security risk if the plugin does nothing bad and
 installed the another plugin that does that job for it. It might be
 difficult to track down and WordPress might be assumed at fault.

 Really, it depends mostly on user lack of technical knowledge.

Ticket URL: <http://trac.wordpress.org/ticket/5174#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list