• Resolved jjwemyss


    This morning we noticed one of our clients sites was redirecting to a sex site. On further investigation it turned out to be caused by your plugin. This was further confirmed by us looking at another 5 of our sites that had the plugin on and the same thing was happening all 5 of them. Removing the plugin has resolved the problem on all the sites but it would be good to know if it has left any problems.
    We have used the plugin for a long time and found it fantastic.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Support Artem



    Please accept our apologies.

    Security issues have been fixed in the latest plugin update.


    Can we get more information? What was the vulnerability? What did they have access to? Should db passwords be updated on all sites that were running this?

    Plugin Support Artem


    @duckpindesign There was no access to information. The vulnerability was to redirect to other sites.

    Also, the changelog doesn’t describe anything, just a new version update.
    If anything, it should say that it fixed a vulnerability that allowed a non-authenticated user to create new redirects. Or similar.
    I don’t feel like that is violating the specifics of the vulnerability, just acknowledging that there was a bug, and that’s why you should update now.

    Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Plugin Review Team Rep

    I’ve un-archived a number of posts.

    It’s OKAY to ask for details on this situation. I understand why the forum team cleaned the posts up, but this is a case where it’s actually appropriate.

    Details on what this hack was and it’s impact have been published at https://blog.nintechnet.com/unauthenticated-option-changes-in-wordpress-simple-301-redirects-addon-bulk-uploader-plugin/

    The Plugin Review Team RECOMMENDS but does not require developers to fully disclose the details on hacks and their fixes, in order to promote transparency with regards to open source development.

    That said, we also REQUEST that if you find a NEW vulnerability that isn’t patched, you contact the plugin dev PRIVATELY (not disclosing the hack in public) and send them details. If they don’t reply, or you can’t figure out how to do that, email plugins@wordpress.org and we can help 🙂

    Responsible disclosure is nuanced and complex, we know. The intent here is very clearly people wanting to know what the hack was, how to know if they were impacted, and how to clean it up.

    Which yes, the developer SHOULD be able to tell you.

    My apologizes to everyone who had their replies moderated. We were a little over zealous, since we’ve had a run of people disclosing vulnerabilities in public without giving the developer a chance to fix it first.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Site hijacked’ is closed to new replies.