Plugin calls home – please fix or add option for user permission

  • redsand

    (@redsand)


    8 years, 8 months ago

    Hi Josh,

    I wanted to bring another issue to your attention.

    On the settings page this plugin calls home to populate the meta boxes for “Updates”, “Support”, and “Feedback”.

    The code in question is in the file ‘new-user-approve/includes/admin-approve.php’ on lines 219-224 and 254-261:

    public function add_meta_boxes() {
	add_meta_box( 'nua-approve-admin', __( 'Approve Users', 'new-user-approve' ), array( $this, 'metabox_main' ), 'users_page_new-user-approve-admin', 'main', 'high' );
	add_meta_box( 'nua-updates', __( 'Updates', 'new-user-approve' ), array( $this, 'metabox_ajax' ), 'users_page_new-user-approve-admin', 'side', 'default', array( 'url' => 'http://newuserapprove.com/wp-json/posts/52' ) );
	add_meta_box( 'nua-support', __( 'Support', 'new-user-approve' ), array( $this, 'metabox_ajax' ), 'users_page_new-user-approve-admin', 'side', 'default', array( 'url' => 'http://newuserapprove.com/wp-json/posts/54' ) );
	add_meta_box( 'nua-feedback', __( 'Feedback', 'new-user-approve' ), array( $this, 'metabox_ajax' ), 'users_page_new-user-approve-admin', 'side', 'default', array( 'url' => 'http://newuserapprove.com/wp-json/posts/56' ) );
}

public function metabox_ajax( $post, $metabox = array() ) {
	$response = wp_remote_get( $metabox['args']['url'] );
	if ( wp_remote_retrieve_response_code( $response ) == 200 ) {
		$body = wp_remote_retrieve_body( $response );
		$details = json_decode( $body );
		print $details->content;
	}
}

    As you’re probably aware from the plugin developer guidelines, that’s kindof a big deal, as they don’t want us to be doing that because of privacy and security risks.

    I realize you most likely mean no harm and probably aren’t collecting any data with this, but a savvy/deceptive developer could do just that.

    According to the plugin developer guidelines, in rule 7, it says:

    No “phoning home” without user’s informed consent. This seemingly simple rule actually covers several different aspects:

    • All images and scripts shown should be part of the plugin. These should be loaded locally. If the plugin does require that data is loaded from an external site (such as blocklists) this should be made clear in the plugin’s admin screens or description. The point is that the user must be informed of what information is being sent where.

    Thanks in advance for fixing this!

    – Scott

    https://wordpress.org/plugins/new-user-approve/

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Plugin calls home – please fix or add option for user permission’ is closed to new replies.

Tags