[wp-trac] [WordPress Trac] #49207: About alleged security breach in WPGens Refer a Friend plugin. I was wrong. Plugins were taken out of marketplace. They should be reinstated.
WordPress Trac
noreply at wordpress.org
Thu Jan 16 15:38:02 UTC 2020
#49207: About alleged security breach in WPGens Refer a Friend plugin. I was wrong.
Plugins were taken out of marketplace. They should be reinstated.
--------------------------+----------------------
Reporter: becosfx | Owner: (none)
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Plugins | Version:
Severity: major | Resolution: invalid
Keywords: | Focuses:
--------------------------+----------------------
Changes (by desrosj):
* keywords: close =>
* status: assigned => closed
* resolution: => invalid
* milestone: Awaiting Review =>
Old description:
> Dear Sirs,
>
> **In regards to the red flag raised against WPGens Refer a Friend plugin,
> I think I was in error, and that is not a correct claim. This was the
> post that is now removed: https://wordpress.org/support/topic/security-
> breach-wpgenss-refer-a-friend-for-wc-sets-up-backdoor-user-in-
> db/?view=all#post-12328496**
>
> I will explain the situation below:
>
> 1. I use Hotjar. A recording showed a login of a user without a name.
> This is the recording:
> https://insights.hotjar.com/r?site=1201180&recording=3008970660&token=94e54a11e92bf1df0d8787a1d3fb1039&startTime=131100
> . After login, in the upper right corner, the user is shown logged in as
> (CUSTOMER) without a name. That was the red flag.
> 2. On internal verification, the user ''goca17'' and associated email
> ''goca17 at gmail.com'' were not in the user table like all other users, but
> in the ''wp_wc_customer_lookup table''; no password assigned to this
> user. Basically I don't know how the WordPress login is even possible,
> without a password?!... That raised another red flag.
> 3. At present website setup, a user cannot be created and not be
> present in the user table, even if it is canceling a payment. The order
> is also displayed afterward anyway, as ''canceled'' or ''pending
> payment''. Such a created user is also present and visible. So, it is
> impossible to have a log in from a shadow user, without seeing their
> action results. ''I drew the conclusion goca17 is a shadow user.'' That
> was another flag.
> 4. Because my mailbox was full exactly on that day when I was asking
> answers from the developer, I did not receive any of his emails for more
> hours and I thought he is ducking. That is the reason I panicked and
> escalated into informing WordPress and Wordfence about what I had thought
> to be a security breach. This was simply complicating the understanding
> of facts.
>
> **5. It is true that in February last year I the developer (Goran) to
> check the plugin on my website, and that is the time the user was
> registered in the database. This is proof that I am wrong in my claim.**
>
> **I assume responsibility for not remembering the fact that I invited the
> developer to check the plugin on my website, at the time. I found that
> archived email, and that is the proof I am wrong. I didn't recall what
> happened one year ago.**
>
> I don't understand how that user was registered and is not showed in the
> users' database, and allow logging in; **this might be a WooCommerce
> bug.**
>
> **Everything is a miscommunication layered on what appears as a bug. I
> understand that WPGens's plugins were taken down in the marketplace. That
> it is a consequence of raising my red flag against his software. They
> should be reinstated. I hope they will be as soon as possible.**
>
> It is not uncommon to find software harboring backdoor exploits. I
> receive alerts from Wordfence weekly, indicating plugins that exploit
> vulnerabilities to get access to other computers. In this context, I
> acted.
>
> This is my public apology. It was not my intention to harm WPGens just
> because. I thought I was the victim of a user attack on the website, and
> that was the reason for my action.
>
> **I am sincerely apologizing to Goran from WPGens, and I am asking you to
> reinstate his plugins in the marketplace.**
>
> Regards,
>
> C. Barac
> becosfx.com
New description:
Dear Sirs,
**In regards to the red flag raised against WPGens Refer a Friend plugin,
I think I was in error, and that is not a correct claim. This was the post
that is now removed: https://wordpress.org/support/topic/security-breach-
wpgenss-refer-a-friend-for-wc-sets-up-backdoor-user-in-
db/?view=all#post-12328496**
I will explain the situation below:
1. I use Hotjar. A recording showed a login of a user without a name.
This is the recording: ''removed'' . After login, in the upper right
corner, the user is shown logged in as (CUSTOMER) without a name. That was
the red flag.
2. On internal verification, the user ''removed'' and associated email
''removed'' were not in the user table like all other users, but in the
''wp_wc_customer_lookup table''; no password assigned to this user.
Basically I don't know how the WordPress login is even possible, without a
password?!... That raised another red flag.
3. At present website setup, a user cannot be created and not be
present in the user table, even if it is canceling a payment. The order is
also displayed afterward anyway, as ''canceled'' or ''pending payment''.
Such a created user is also present and visible. So, it is impossible to
have a log in from a shadow user, without seeing their action results. ''I
drew the conclusion goca17 is a shadow user.'' That was another flag.
4. Because my mailbox was full exactly on that day when I was asking
answers from the developer, I did not receive any of his emails for more
hours and I thought he is ducking. That is the reason I panicked and
escalated into informing WordPress and Wordfence about what I had thought
to be a security breach. This was simply complicating the understanding of
facts.
**5. It is true that in February last year I the developer (Goran) to
check the plugin on my website, and that is the time the user was
registered in the database. This is proof that I am wrong in my claim.**
**I assume responsibility for not remembering the fact that I invited the
developer to check the plugin on my website, at the time. I found that
archived email, and that is the proof I am wrong. I didn't recall what
happened one year ago.**
I don't understand how that user was registered and is not showed in the
users' database, and allow logging in; **this might be a WooCommerce
bug.**
**Everything is a miscommunication layered on what appears as a bug. I
understand that WPGens's plugins were taken down in the marketplace. That
it is a consequence of raising my red flag against his software. They
should be reinstated. I hope they will be as soon as possible.**
It is not uncommon to find software harboring backdoor exploits. I receive
alerts from Wordfence weekly, indicating plugins that exploit
vulnerabilities to get access to other computers. In this context, I
acted.
This is my public apology. It was not my intention to harm WPGens just
because. I thought I was the victim of a user attack on the website, and
that was the reason for my action.
**I am sincerely apologizing to Goran from WPGens, and I am asking you to
reinstate his plugins in the marketplace.**
Regards,
C. Barac
--
Comment:
Hi @becosfx,
Welcome to Trac!
This Trac instance is for tasks related to the WordPress Core software. If
a plugin was removed from wordpress.org because of something you reported,
then this is something that you would need to take up with the plugin team
by emailing them at plugins at wordpress.org.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49207#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list