Serious hack issues with this plugin

  • EclipseDesignConcepts

    (@eclipsedesignconcepts)


    10 years ago

    I used this plugin for the first time on one of my sites as an alternative to the one I normally use since there are things I don’t like about that one. It’s a client site who is no longer under a maintenance contract so I don’t normally go to the site to check on things. I had a reason to go there today and was dismayed to see dozens of spam blog posts and ALL of the spam users (who were able to register since the Stop Spam Registry Plugin has been changed and no longer blocks a lot of spammers) that had registered were listed as EDITORS! I immediately deleted all of those users and the spam posts and then set to figure out what was going on. After reading the support forum here I realized I needed to check a few things. Under Settings/General I was horrified to see all sorts of settings changed. For instance new users were automatically registered as EDITORS instead of SUBSCRIBERS as I had set it up to be. All of my posting and commenting moderation settings were modified. For this client I had it set up to be super tight as they didn’t want anyone being able to do anything without their knowledge or permission. Those settings were all changed to the most lenient. I, of course, switched everything back to the way I had it. Then I went into the settings for this plugin and was again horrified. The settings for the user level subscriber were set that any subscriber could add/delete and modify other users (it wasn’t like that when I first set up the plugin so this must have happened during an update that I didn’t catch)! I knew instantly what the whole issue was! A spammer registered, saw he was automatically an editor (whose settings were now set to allow them to make changes to the other settings!) and went in and changed my settings to not only be the most lenient but most importantly so that the owners wouldn’t be notified of spam postings or comments! Needless to say I will not be using this particular plugin again and I would recommend that someone look into this issue for the other users who are still using it. It poses a serious risk to site owners. I was lucky in that they didn’t discover the ability to change my admin status and make other more serious changes to the site! Users beware! Check your settings thoroughly!

    https://wordpress.org/plugins/capability-manager-enhanced/

Viewing 2 replies - 1 through 2 (of 2 total)
  • klantomo

    (@klantomo)

    9 years, 12 months ago

    I wonder if we face the same problem? Capabilities on our installation automatically reset to the default settings after some time. Did you experience the same?

    I just posted something about it: http://wordpress.org/support/topic/capabilities-reset-automatically-to-default-after-some-days?replies=1#post-5509081

    Plugin Author Kevin Behrens

    (@kevinb)

    9 years ago

    The scenario Eclipse described does not sound like a CapsManager-induced hack. Capability Manager Enhanced just edits the capabilities array stored to your database’s wp_options table. It does not allow that to be done unless the logged user has the Administrator role or the manage_capabilities capability.

    Capability Manager Enhanced does not update or filter the default_role option in any way. The fact that this plugin displayed your modified capabilities does not mean it allowed that modification to happen. I am open to being proven wrong, but if you started with a WP roles which were either standard or stricter than standard, it’s hard for me to see how CME would be responsible for this hack.

    If you are still concerned, there is no need to leave Capability Manager Enhanced active permanently. Just activate it to modify your db-stored role definitions, then deactivate it once everything is defined.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Serious hack issues with this plugin’ is closed to new replies.