WordPress.org

Ready to get started?Download WordPress

Forums

Wordfence Security
[resolved] Modified plugin file: wp-content/plugins/.../readme.txt (7 posts)

  1. Nikola Nikolov
    Member
    Posted 5 months ago #

    I've received one or two alerts like this one before, and today I just received two more.

    One of the plugins reported was the WordPress Importer and the other one was for the Events Manager plugin.
    I think that the difference might be coming due to the fact that you compare the trunk version of a plugin with the version installed locally.
    Some(maybe even most) plugins actually have a development version in the trunk directory and then just supply the "Stable tag:" header in their readme file.
    That's a minor issue and I feel like to fix it you might have to do some extra logic in your servers(since I assume the version check comes from your servers), but I just thought that it would be good to report it.

    https://wordpress.org/plugins/wordfence/

  2. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    Hi Nikolov,

    Actually we use the tag to compare and we figure out which tag to use based on the version. If there are no tags, then we'll use trunk.

    So if the developer is behaving properly and tagging each release (and then not adding to that tag, but adding to trunk and creating a new tag for each release) our system works great.

    The problem arises when developers check code into tags.

    Can you tell me which plugin versions and what differences you're seeing?

    Regards,

    Mark
    PS: If you found this helpful, please rate Wordfence 5 stars.
    http://wordpress.org/plugins/wordfence/

  3. Nikola Nikolov
    Member
    Posted 5 months ago #

    That makes sense. The strange thing on the other hand is that it only happens for the readme.txt files - I haven't seen it anywhere else so far.

    Any way, here's what showed up earlier today:

    Events Manager(http://wordpress.org/plugins/events-manager/):
    - Installed version: 5.5.2
    - Installed version's "Tested up to:" has been "changed" from 3.8 to 3.6
    - A section in the changelog "= 5.5.2.1 (dev) =" has been "removed" from the local file.

    WordPress Importer(http://wordpress.org/plugins/wordpress-importer/):
    - Installed version: 0.6.1
    - Installed version's "Tested up to:" has been "changed" from 3.8(original version) to 3.6
    - Installed version's "Stable tag:" has been "changed" from 0.6.1(original version) to 0.6

    Again - that's not a big issue and I assume it could indeed be due to the developers committing to a tag, instead of into trunk. I usually ignore those issues, since they're obviously not a problem at all.

    Thank you for your time,
    Nikola

  4. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    I just installed Events Manager and it scans clean for me.

    Can you tell me how you installed it? Did you download it from the author's website?

    Thanks.

  5. Nikola Nikolov
    Member
    Posted 5 months ago #

    It did that during a scheduled scan - I believe after I updated Wordfence(the 4.0.2 update).

    I installed it from the plugins repository and I did so quite some time ago. The trac log shows that the last commit for the Events Manager plugin was 6 weeks ago, so I'm not sure why it would show up just now.
    https://plugins.trac.wordpress.org/browser/events-manager/ .

    Basically there's been no change whatsoever in the site where I experienced this happening(besides updating to Wordfence 4.0.2 - I also just updated to 4.0.3).

    So I assume that when you download the plugin now, you would actually have the "= 5.5.2.1 (dev) =" section in the readme(since it's in the tagged directory as well).

  6. Wordfence
    Member
    Plugin Author

    Posted 5 months ago #

    OK found it. He/she checked in code into the 5.5.2 tag after the release:

    https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=826766%40events-manager&old=794571%40events-manager&sfp_email=&sfph_mail=

    So what I would do if I were you (and anyone else suffering from a plugin developer who checks code into their tags) just do a repair on files which have changed. This will have the same effect as if you were to uninstall the plugin and reinstall the newer version 5.5.2 while retaining any settings or data that might be removed on uninstall.

    Sound good?

  7. Nikola Nikolov
    Member
    Posted 5 months ago #

    I agree - even though with just the readme file being affected, I might just ignore the issue until the file changes - I don't loose anything by ignoring a readme change, so I' fine with that.

    Obviously if other more vital files were changed(which they shouldn't), I will repair the files.

    Thank you for looking into that,
    Nikola

Reply

You must log in to post.

About this Plugin

About this Topic

Tags

No tags yet.