Support » Plugin: Simple 301 Redirects - Addon - Bulk Uploader » Malicious website redirects inserted!

  • epicmarketing

    (@epicmarketing)


    This plugin has been causing many sites to have spam links injected into the 301 redirects. Users going to your site are then redirected to malicious websites.

    The author has not sufficiently alerted users to the severity of having this plugin not be updated. I’m not even certain the latest updated version fixed the issue. The changelog says nothing about it. Thus, do not trust this plugin. It causes a severe security issue, and the devs have not owned up to the problem.

    To fix the issue, delete the spam redirects in the 301 Redirect Settings (I had 3), and be sure to remove this plugin. Having the regular 301 redirect plugin installed and active is still fine.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Support Temyk

    (@webtemyk)

    Vulnerability fixed in update 1.2.5. And about it there is a message on a support forum
    and also record in a changelog

    1.2.5
    Fixing vulnerabilities

    Please correct the rating, because what you wrote is not true.

    I checked the change log when I was looking at plugins to try and find this issue. It was not there. If it had been there, it could have saved some time. When did you put that in? Six days after you knew of the issue and worked on it? It was true. That you decide to retroactively update things after isn’t my fault. This should have been done on day one.

    Plugin Support Temyk

    (@webtemyk)

    We released an update with fixes as soon as we learned about the vulnerability. That was 7 days ago.
    Yesterday, when you wrote this review in the changelog already had information, but you have not checked. And we also recognized the vulnerability

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

    I think the confusion here is that the Readme was updated 27 hours ago to document the fix, but the fix was actually added between 2 and 7 days ago.

    @anevins is correct.

    The problem here is that a severe security breach took place. Everyone makes mistakes. I’m glad you fixed the problem. However, my concern is that you didn’t notify anyone of the problem in a acceptably professional manner. You put a huge banner on the website back-end as an ad. That’s fine. But why not notify everyone who has your plugin installed that they need to update ASAP or risk having malicious links inserted into their site in a similar way? Or at least put it in the change log and plugin notification on day one? I’ve seen others do this. You did not. This caused damage to three different websites I manage, and I spent hours working on fixing this problem because of this poor notification.

    Does this all make sense? I appreciate the work you do with providing a free plugin. However, there is a responsibility for making sure your plugin does not harm other people’s websites, and part of that is making it clear that your plugin needs to be patched to prevent a malicious attack. I posted this review not to hurt you, but to help other people (because you weren’t doing it). I didn’t check the change log again before posting, but the damage had already been done.

    I believe others continue to have this problem, or am I wrong?

    Plugin Support Temyk

    (@webtemyk)

    Indeed, we were in a hurry and forgot to immediately indicate the changes in the changelog.
    We have no way to notify plugin users about anything. We can only release an update.
    In any case, to fix the vulnerability, you need to update the plugin, and many immediately updated it, despite the fact that the changelog did not specify the reason for the update.

Viewing 6 replies - 1 through 6 (of 6 total)
  • You must be logged in to reply to this review.