[wp-trac] [WordPress Trac] #49207: About alleged security breach in WPGens Refer a Friend plugin. I was wrong. Plugins were taken out of marketplace. They should be reinstated.

WordPress Trac noreply at wordpress.org
Thu Jan 16 15:38:02 UTC 2020


#49207: About alleged security breach in WPGens Refer a Friend plugin. I was wrong.
Plugins were taken out of marketplace. They should be reinstated.
--------------------------+----------------------
 Reporter:  becosfx       |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  Plugins       |     Version:
 Severity:  major         |  Resolution:  invalid
 Keywords:                |     Focuses:
--------------------------+----------------------
Changes (by desrosj):

 * keywords:  close =>
 * status:  assigned => closed
 * resolution:   => invalid
 * milestone:  Awaiting Review =>


Old description:

> Dear Sirs,
>
> **In regards to the red flag raised against WPGens Refer a Friend plugin,
> I think I was in error, and that is not a correct claim. This was the
> post that is now removed:  https://wordpress.org/support/topic/security-
> breach-wpgenss-refer-a-friend-for-wc-sets-up-backdoor-user-in-
> db/?view=all#post-12328496**
>
> I will explain the situation below:
>
>     1. I use Hotjar. A recording showed a login of a user without a name.
> This is the recording:
> https://insights.hotjar.com/r?site=1201180&recording=3008970660&token=94e54a11e92bf1df0d8787a1d3fb1039&startTime=131100
> . After login, in the upper right corner, the user is shown logged in as
> (CUSTOMER) without a name. That was the red flag.
>     2. On internal verification, the user ''goca17'' and associated email
> ''goca17 at gmail.com'' were not in the user table like all other users, but
> in the ''wp_wc_customer_lookup table''; no password assigned to this
> user. Basically I don't know how the WordPress login is even possible,
> without a password?!... That raised another red flag.
>     3. At present website setup, a user cannot be created and not be
> present in the user table, even if it is canceling a payment. The order
> is also displayed afterward anyway, as ''canceled'' or ''pending
> payment''. Such a created user is also present and visible. So, it is
> impossible to have a log in from a shadow user, without seeing their
> action results. ''I drew the conclusion goca17 is a shadow user.'' That
> was another flag.
>     4. Because my mailbox was full exactly on that day when I was asking
> answers from the developer, I did not receive any of his emails for more
> hours and I thought he is ducking. That is the reason I panicked and
> escalated into informing WordPress and Wordfence about what I had thought
> to be a security breach. This was simply complicating the understanding
> of facts.
>
>     **5. It is true that in February last year I the developer (Goran) to
> check the plugin on my website, and that is the time the user was
> registered in the database. This is proof that I am wrong in my claim.**
>
> **I assume responsibility for not remembering the fact that I invited the
> developer to check the plugin on my website, at the time. I found that
> archived email, and that is the proof I am wrong. I didn't recall what
> happened one year ago.**
>
> I don't understand how that user was registered and is not showed in the
> users' database, and allow logging in; **this might be a WooCommerce
> bug.**
>
> **Everything is a miscommunication layered on what appears as a bug. I
> understand that WPGens's plugins were taken down in the marketplace. That
> it is a consequence of raising my red flag against his software. They
> should be reinstated. I hope they will be as soon as possible.**
>
> It is not uncommon to find software harboring backdoor exploits. I
> receive alerts from Wordfence weekly, indicating plugins that exploit
> vulnerabilities to get access to other computers. In this context, I
> acted.
>
> This is my public apology. It was not my intention to harm WPGens just
> because. I thought I was the victim of a user attack on the website, and
> that was the reason for my action.
>
> **I am sincerely apologizing to Goran from WPGens, and I am asking you to
> reinstate his plugins in the marketplace.**
>
> Regards,
>
> C. Barac
> becosfx.com

New description:

 Dear Sirs,

 **In regards to the red flag raised against WPGens Refer a Friend plugin,
 I think I was in error, and that is not a correct claim. This was the post
 that is now removed:  https://wordpress.org/support/topic/security-breach-
 wpgenss-refer-a-friend-for-wc-sets-up-backdoor-user-in-
 db/?view=all#post-12328496**

 I will explain the situation below:

     1. I use Hotjar. A recording showed a login of a user without a name.
 This is the recording: ''removed'' . After login, in the upper right
 corner, the user is shown logged in as (CUSTOMER) without a name. That was
 the red flag.
     2. On internal verification, the user ''removed'' and associated email
 ''removed'' were not in the user table like all other users, but in the
 ''wp_wc_customer_lookup table''; no password assigned to this user.
 Basically I don't know how the WordPress login is even possible, without a
 password?!... That raised another red flag.
     3. At present website setup, a user cannot be created and not be
 present in the user table, even if it is canceling a payment. The order is
 also displayed afterward anyway, as ''canceled'' or ''pending payment''.
 Such a created user is also present and visible. So, it is impossible to
 have a log in from a shadow user, without seeing their action results. ''I
 drew the conclusion goca17 is a shadow user.'' That was another flag.
     4. Because my mailbox was full exactly on that day when I was asking
 answers from the developer, I did not receive any of his emails for more
 hours and I thought he is ducking. That is the reason I panicked and
 escalated into informing WordPress and Wordfence about what I had thought
 to be a security breach. This was simply complicating the understanding of
 facts.

     **5. It is true that in February last year I the developer (Goran) to
 check the plugin on my website, and that is the time the user was
 registered in the database. This is proof that I am wrong in my claim.**

 **I assume responsibility for not remembering the fact that I invited the
 developer to check the plugin on my website, at the time. I found that
 archived email, and that is the proof I am wrong. I didn't recall what
 happened one year ago.**

 I don't understand how that user was registered and is not showed in the
 users' database, and allow logging in; **this might be a WooCommerce
 bug.**

 **Everything is a miscommunication layered on what appears as a bug. I
 understand that WPGens's plugins were taken down in the marketplace. That
 it is a consequence of raising my red flag against his software. They
 should be reinstated. I hope they will be as soon as possible.**

 It is not uncommon to find software harboring backdoor exploits. I receive
 alerts from Wordfence weekly, indicating plugins that exploit
 vulnerabilities to get access to other computers. In this context, I
 acted.

 This is my public apology. It was not my intention to harm WPGens just
 because. I thought I was the victim of a user attack on the website, and
 that was the reason for my action.

 **I am sincerely apologizing to Goran from WPGens, and I am asking you to
 reinstate his plugins in the marketplace.**

 Regards,

 C. Barac

--

Comment:

 Hi @becosfx,

 Welcome to Trac!

 This Trac instance is for tasks related to the WordPress Core software. If
 a plugin was removed from wordpress.org because of something you reported,
 then this is something that you would need to take up with the plugin team
 by emailing them at plugins at wordpress.org.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/49207#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list