[wp-trac] [WordPress Trac] #49207: About alleged security breach in WPGens Refer a Friend plugin. I was wrong. Plugins were taken out of marketplace. They should be reinstated.

WordPress Trac noreply at wordpress.org
Thu Jan 16 06:46:24 UTC 2020 

#49207: About alleged security breach in WPGens Refer a Friend plugin. I was wrong.
Plugins were taken out of marketplace. They should be reinstated.
--------------------------+-----------------------------
 Reporter:  becosfx       |      Owner:  (none)
     Type:  defect (bug)  |     Status:  assigned
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Plugins       |    Version:
 Severity:  major         |   Keywords:  close
  Focuses:                |
--------------------------+-----------------------------
 Dear Sirs,

 **In regards to the red flag raised against WPGens Refer a Friend plugin,
 I think I was in error, and that is not a correct claim. This was the post
 that is now removed:  https://wordpress.org/support/topic/security-breach-
 wpgenss-refer-a-friend-for-wc-sets-up-backdoor-user-in-
 db/?view=all#post-12328496**

 I will explain the situation below:

     1. I use Hotjar. A recording showed a login of a user without a name.
 This is the recording:
 https://insights.hotjar.com/r?site=1201180&recording=3008970660&token=94e54a11e92bf1df0d8787a1d3fb1039&startTime=131100
 . After login, in the upper right corner, the user is shown logged in as
 (CUSTOMER) without a name. That was the red flag.
     2. On internal verification, the user ''goca17'' and associated email
 ''goca17 at gmail.com'' were not in the user table like all other users, but
 in the ''wp_wc_customer_lookup table''; no password assigned to this user.
 Basically I don't know how the WordPress login is even possible, without a
 password?!... That raised another red flag.
     3. At present website setup, a user cannot be created and not be
 present in the user table, even if it is canceling a payment. The order is
 also displayed afterward anyway, as ''canceled'' or ''pending payment''.
 Such a created user is also present and visible. So, it is impossible to
 have a log in from a shadow user, without seeing their action results. ''I
 drew the conclusion goca17 is a shadow user.'' That was another flag.
     4. Because my mailbox was full exactly on that day when I was asking
 answers from the developer, I did not receive any of his emails for more
 hours and I thought he is ducking. That is the reason I panicked and
 escalated into informing WordPress and Wordfence about what I had thought
 to be a security breach. This was simply complicating the understanding of
 facts.

     **5. It is true that in February last year I the developer (Goran) to
 check the plugin on my website, and that is the time the user was
 registered in the database. This is proof that I am wrong in my claim.**

 **I assume responsibility for not remembering the fact that I invited the
 developer to check the plugin on my website, at the time. I found that
 archived email, and that is the proof I am wrong. I didn't recall what
 happened one year ago.**

 I don't understand how that user was registered and is not showed in the
 users' database, and allow logging in; **this might be a WooCommerce
 bug.**

 **Everything is a miscommunication layered on what appears as a bug. I
 understand that WPGens's plugins were taken down in the marketplace. That
 it is a consequence of raising my red flag against his software. They
 should be reinstated. I hope they will be as soon as possible.**

 It is not uncommon to find software harboring backdoor exploits. I receive
 alerts from Wordfence weekly, indicating plugins that exploit
 vulnerabilities to get access to other computers. In this context, I
 acted.

 This is my public apology. It was not my intention to harm WPGens just
 because. I thought I was the victim of a user attack on the website, and
 that was the reason for my action.

 **I am sincerely apologizing to Goran from WPGens, and I am asking you to
 reinstate his plugins in the marketplace.**

 Regards,

 C. Barac
 becosfx.com

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49207>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list