For security issues with WordPress plugins, please email the details to plugins [at] wordpress.org, including as much detail as possible.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Confirmed, that’s pretty evil.
To report any plugin issues like this, please send an email to plugins AT wordpress.org (which I’ve just done).
Edit: I’m still slow. 😉
Btw guys I am using WP for years and I had to register second ago because I only needed to report this.
There should be a “Report phishing” button or something like that at plugin page… we are in 2012 – such things will happen again 😉
@jan haha. 🙂
@chandle. In theory that sounds like a great idea. However, I think it would be overused and the “email method” would probably be more efficient. I assume they plugins are monitored regularly so it’s not really a huge problem, at least with my “plugin experience.” If you vote the plugin doesn’t work and then create a post like you did here there will be a very quick response, like this evening.
Plugin closed. Ugh. Poor guy.
Why closed?
Just reverting to v10.1.5 and removing authors permissions would be enough. It is fairly good plugin!
Because I don’t have access to revert it. 😀 Closing is to stop people from upgrading for now. Someone will roll it back and up the revision tonight.
I will revert this and bump the version soon. In the meantime, closing it prevents further infection.
If anybody wants to decode this and track down the perpetrator, I will do everything in my power to shut them down. I will do this anyway, but I’m currently mobile, so you might save me some time.
Email me any findings, btw: otto@wordpress.org. Action will be taken. (so mad right now)
Decoded and sent. I’m pissed too and trying to make sure the REAL plugin author gets notified.
Plugin has been reverted (thanks nacin!) and the new version is clean.
As Otto says, the new version, 10.1.8, is clean. It is an exact copy of 10.1.5, with the version number bumped to ensure upgrades.
The user account is currently suspended until we establish the proper identity, etc.
Probably related: http://wpdevel.wordpress.com/2012/03/27/phishing-attempts-for-wordpress-org-credentials/. Be on the lookout.
Marking this as resolved for now.
