Support » Plugin: WP Approve User » Deactivation Approves All Users – SECURITY ISSUE

  • You have a serious bug in your plugin. If any users register, and they are not approved, they all become approved once deactivating your plugin. This is a massive security risk.

Viewing 11 replies - 1 through 11 (of 11 total)
  • Plugin Author Konstantin Obenland

    (@obenland)

    No, it is not.

    Next time, try deleting or approving all pending users before deactivating the plugin.

    Thread Starter Dario Zadro

    (@zadro)

    If the users were pending, I would NOT expect them to auto-approve to active status. On a site with hundreds of users, the way you have it is a problem. It would be safer to delete all pending users on deactivation.

    Hello, @obenland. Have you made or plan to make any adjustments in the default behavior regarding this issue?

    Plugin Author Konstantin Obenland

    (@obenland)

    I’m not planning to make any adjustments here. It is WordPress’ default behavior and to be expected when deactivating the plugin.

    OK. Maybe a warning of what to expect upon deactivation could be useful, though. That way, users wouldn’t assume wrongly that deactivation won’t change what they have not explicitly allowed.

    Best.

    I agree with the other users here that this would be a nice feature to have. Maybe keeping the pending users as meta when deactivating, so once it is reactivated the pending users are all still pending. When the plugin is removed entirely ( deleted ) then it would go through the cleanup process of removing the metadata.

    I guess I see deactivating as more of a temporary action where this plugin handles it as a permanent action.

    Thanks, @howdy_mcgee. That’s actually the key of this misunderstanding: deactivating is temporary; uninstalling is permanent.

    Temporarily deactivating plugins is a standard action while troubleshooting. Without even a warning, the site admin will never know of the potential dangers and -at the very least- complications ahead.

    Plugin Author Konstantin Obenland

    (@obenland)

    That’s actually the key of this misunderstanding: deactivating is temporary; uninstalling is permanent.

    Agreed! I updated the activation callback to not overwrite existing meta values, which should fix that in version 8 of the plugin. Thanks for bearing with me.

    idearius

    (@idearius)

    Thanks, Konstantin.

    Cheers.

    whiteweazel21

    (@whiteweazel21)

    Is this pushed live?

    Every time I deactivate the plugin for testing/dev purposes, all users are automatically approved. I’ve auto-approved like 20 bots already.

    Should I download and replace the files manually? Or is it live already and just not working as intended? This “bug” is pretty bad!

    Thanks for the plugin by the way!

    (MB, seems I’m on version 7. I didn’t get any message to update the plugin in the plugins menu. Guess I’ll reinstall manually via upload. Thanks!)

    Plugin Author Konstantin Obenland

    (@obenland)

    This “bug” is pretty bad!

    Thanks for the plugin by the way!

    What an emotional rollercoaster! 🙂
    Thanks for the heads up, should be fixed now.

Viewing 11 replies - 1 through 11 (of 11 total)
  • You must be logged in to reply to this topic.