[wp-trac] Re: [WordPress Trac] #5174: If plugin details cleared
while activated, "impossible" to deactivate
WordPress Trac
wp-trac at lists.automattic.com
Thu Oct 11 05:56:15 GMT 2007
#5174: If plugin details cleared while activated, "impossible" to deactivate
----------------------------+-----------------------------------------------
Reporter: Viper007Bond | Owner: anonymous
Type: defect | Status: new
Priority: lowest | Milestone: 2.5
Component: Administration | Version: 2.3
Severity: normal | Resolution:
Keywords: needs-patch |
----------------------------+-----------------------------------------------
Comment (by jaredbangs):
Hmm... it's interesting to think of the possibilities here for plugins
with less than noble intentions.
Based on what you've described above, a plugin could theoretically (upon
initial activation) modify and hide itself to prevent removal and then
even download / insert a new dummy plugin file that uses the original
name.
This could lead to a situation where a user who goes to deactivate the new
plugin could be fooled into believing they've done so, when in reality the
original plugin would remain active.
I agree that it seems unlikely, and of course it does require that the
user downloads and activates the original plugin in the first place, and
(in the scenario I described) have relatively "loose" file and directory
permissions on their plugin directory, but I doubt that's very uncommon.
Maybe I'm missing something in all this, but my memory isn't bad enough to
have forgotten about all the nasty tricks some of those sponsored themes
were pulling a while back, and I could see the same thing potentially
being done here if the plugin dev were sneaky about it.
--
Ticket URL: <http://trac.wordpress.org/ticket/5174#comment:1>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list