WP CRM Sent 1000’s of rogue emails for no reason

Resolved saltyruss
(@saltyruss)

4 years, 2 months ago

I have tried several times to contact you via support tickets, contact us on your website, and email. Nothing seems to work.

After installing your WP CRM I processed a test by importing users = ‘Buyer’ from my real estate website. There are only two users that met that test category. However, your WP CRM proceeded to import every real estate agent in the MLS and proceeded to send them an email stating that their email address had been changed. I need your help debugging this so I can notify the 1000’s of realtors that received this strange message exactly what happened, why, and what the corrective action is.

The email was poorly formatted and ugly, there was never a notification or statement that an email would be sent to users, let alone a confirmation step. Your import instructions are not even English. Example:
Import User Role >> User Role >> ‘Selected user role are considered to import’
What does that mean? Does that mean that the selected user role will or will not be imported? I selected a user role that only had 2 test records and your WP CRM processed thousands…
Another Example: Import Users Into CRM >> Contact Owner >> “Contact owner for contact” What does that mean? This statement is on the ‘Import Users Into CRM’ so is this tool importing Users or Contacts?

Your WP CRM sent 1000’s of emails to every realtor in the MLS with no notification that it would do this, after I selected only 2 test records to sample functionality with, and did so with no confirmation warning – Something like ‘Hey, you are about to send 57,000 emails, please review the email format and content then click Confirm to proceed or Cancel to cancel. That seems just like a standard validation step before sending 57,000 emails.

Again, I have tried to reach you in several ways: I have submitted several entries in your contact us form, I have created 5 support tickets, I have sent my information and problem via your online chat. All have been ignored without so much as a ‘thank you for contacting us, we will respond shortly’ confirmation – Although your website does create a green banner stating the submission was successful.

I need your help – I need to communicate to the MLS and the realtors what happened and that their data is safe. I need to know what your WP CRM did, and I need you to confirm that your WP CRM does not steal information for nefarious or criminal purposes.

The page I need help with: [log in to see the link]

Viewing 10 replies - 1 through 10 (of 10 total)

Mehedi Hasan
(@thebengalboy)

4 years, 2 months ago
My apologies @saltyruss for the inconvenience you had but can you please make sure it’s WP ERP? I’m asking because you mentioned WP CRM which is a different plugin- not from us.

Also, WP ERP doesn’t send any email that contains ‘Your email has changed’. If you find those words in the whole WP ERP codebase, you’ll see there is none. Basically, WP ERP doesn’t have any function that contains something like this. So, I assume something else may happen?

Point to be noted as well; WP ERP could not send any email until you connect SMTP from the settings. So, as you mentioned the users got the email immediately- means you have not connected the SMTP yet. Without an SMTP connection, WP ERP can not send an email.

We want to solve your problem if it’s really causing by WP ERP. Kindly cooperate with us by confirming the followings:

1. Confirm it’s WP ERP
2. Confirm you have SMTP connected
3. Confirm how did you import the users
4. The exact email that the users got

Thanks
- This reply was modified 4 years, 2 months ago by Mehedi Hasan.
Thread Starter saltyruss
(@saltyruss)

4 years, 2 months ago

Here is an alphabetical list of all my plugins. WP ERP has a module called CRM. that’s you. – all you. your plugin sent 57,000 BS emails with no notice, no configuration, and without confirmation. I have sent you super admin login credentials – you have done nothing. You say your plugin doesn’t send emails like that – Very convenient public statement – However, your plugin did. Have you used the admin credentials I sent you to confirm. No, you haven’t. I have all user logins logged. You haven’t even tried. Get Real. This is serious. You sent BS emails to 57,000 email addresses with no warning or confirmations. Very sad, to say the least.

Still no response from your contact us page, no response to my emails, no response to your online chat. nothing. Only self-preservation on a public forum. you have Super Admin access to my site. Please, help me find the root cause. Your plugin screwed this up.

Plugin list:
User Login History
Network Active | Troubleshoot
Helps you to know your website’s visitors by tracking their login related information like login/logout time, country, browser and many more.

Version 2.0.0 | By Er Faiyaz Alam | View details
Select Web 2.0 Directory plugin
Web 2.0 Directory plugin
Settings | Deactivate | Troubleshoot
Build Directory or Classifieds site in some minutes. The plugin combines flexibility of WordPress and functionality of Directory and Classifieds

Version 2.6.8 | By salephpscripts.com | View details | Documentation | Changelog
Select WP Encryption – One Click SSL & Force HTTPS (Premium)
WP Encryption – One Click SSL & Force HTTPS (Premium)
Upgrade | Change License | Opt Out | Deactivate | Troubleshoot
Secure your WordPress site with free SSL certificate and force HTTPS throughout the site. Just activating this plugin won’t help! – Please run the SSL install form of WP Encryption found on left panel.

Version 5.2.13 | By Go Web Smarty | View details
WP ERP
Network Active | Troubleshoot | Settings | Docs
An Open Source ERP Solution for WordPress. Built-in HR, CRM and Accounting system for WordPress

Version 1.7.4 | By weDevs | View details
WP ERP – PDF Invoice
Network Active | Troubleshoot
PDF invoice for WP ERP

Version 1.1.3 | By weDevs | View details
WP Google Maps
Get Pro Version | Settings | Map Editor | Network Active | Troubleshoot
The easiest to use Google Maps plugin! Create custom Google Maps with high quality markers containing locations, descriptions, images and links. Add your customized map to your WordPress posts and/or pages quickly and easily with the supplied shortcode. No fuss.

Version 8.0.31 | By WP Google Maps | View details
WP Rocket
Settings | FAQ | Docs | Support | Network Active | Troubleshoot
The best WordPress performance plugin.

Version 3.8.2 | By WP Media | Visit plugin site
WPBakery Page Builder
Settings | Network Active | Troubleshoot
Drag and drop page builder for WordPress. Take full control over your WordPress site, build any layout you can imagine – no programming knowledge required.

Version 6.3.0 | By Michael M – WPBakery.com | View details
Yoast SEO
Get Premium | FAQ | Settings | Network Active | Troubleshoot
The first true all-in-one SEO solution for WordPress, including on-page content analysis, XML sitemaps and much more.

Version 15.5 | By Team Yoast | View details
Yoast Test Helper
Network Active | Troubleshoot
Utility to provide testing features for Yoast plugins.

Version 1.12 | By Team Yoast | View details
Select All Plugin Description

Thread Starter saltyruss
(@saltyruss)

4 years, 2 months ago

Here is a forwarded message I received from one on the realtors:

”
———- Forwarded message ———
From: WordPress <wordpress@oahurealtypro.com>
Date: Fri, Jan 8, 2021 at 10:40 AM
Subject: [Oahu Realty Pro] Email Changed
To: <???????@????????.com> I added ‘?’ to protect the innocent. (rj)

Hi 3476269, This notice confirms that your email address on Oahu Realty Pro was changed to ????????@???????hawaii.com. If you did not change your email, please contact the Site Administrator at russ@pcnllc.net This email has been sent to ?????@??????hawaii.com Regards, All at Oahu Realty Pro https://www.oahurealtypro.com
”

Every realtor in the MLS system got this after I used your WP ERP – CRM Module >> import Users function. I selected a user category that has only 2, two, users in it. Yet, your plugin imported and sent emails to 57,000 realtors.

The instructions aren’t even written in English. what does “Selected user role are considered for import” mean? What is that? What does that function do? I thought it meant that only the selected categories would be imported. I NEVER expected that your plugin would send BS emails to 57,000 people without a confirmation step.

Mehedi Hasan
(@thebengalboy)

4 years, 2 months ago

Oh dear, this is an email that sends by WordPress itself when a user password changed. Not the WP ERP!

Thread Starter saltyruss
(@saltyruss)

4 years, 2 months ago

@thebengalboy

I reached out to your organization several times for a few days via several different methods. I had no response from your organization during that time. I finally posted something here and the wp support forum in hopes that you would respond and at least attempt to help. My dashboard on your site still states, “No support conversation found !” as of this writing.

As you and I discussed, your plugin caused WP to send these emails. You have admin rights to my site; the log shows that nothing else was going on other than your Import User routine – which I had only selected 2 test users to import. At that time, your plugin imported everyone in my database (which is a bug in your code) did an operation that triggered WordPress to send the messages. Please review your code to see what operation you are performing to trigger WordPress to send an email that says:
“This notice confirms that your email address on [site name] was changed to ????????@???????hawaii.com.”

The WP code is fairly simple and triggers an email to be sent if the email address has been changed. The emails in the messages that your plug triggered had not been changed. Not one. They are all the same as they have been for weeks. The WP email_change_email code is triggered when the email address of a user has changed or when your plugin does something in the user email field that WP thinks is a change. The WP email_change routine calls the password change email notification routine and modifies the array to be used for the email change message.

$pass_change_email = array(
‘to’ => $user[‘user_email’],
/* translators: Password change notification email subject. %s: Site title. */
‘subject’ => __( ‘[%s] Password Changed’ ),
‘message’ => $pass_change_text,
‘headers’ => ”,
);

/**
* Filters the contents of the email sent when the user’s password is changed.
*
* @since 4.3.0
*
* @param array $pass_change_email {
* Used to build wp_mail().
*
* @type string $to The intended recipients. Add emails in a comma separated string.
* @type string $subject The subject of the email.
* @type string $message The content of the email.
* The following strings have a special meaning and will get replaced dynamically:
* – ###USERNAME### The current user’s username.
* – ###ADMIN_EMAIL### The admin email in case this was unexpected.
* – ###EMAIL### The user’s email address.
* – ###SITENAME### The name of the site.
* – ###SITEURL### The URL to the site.
* @type string $headers Headers. Add headers in a newline (\r\n) separated string.
* }
* @param array $user The original user array.
* @param array $userdata The updated user array.
*/
$pass_change_email = apply_filters( ‘password_change_email’, $pass_change_email, $user, $userdata );

$pass_change_email[‘message’] = str_replace( ‘###USERNAME###’, $user[‘user_login’], $pass_change_email[‘message’] );
$pass_change_email[‘message’] = str_replace( ‘###ADMIN_EMAIL###’, get_option( ‘admin_email’ ), $pass_change_email[‘message’] );
$pass_change_email[‘message’] = str_replace( ‘###EMAIL###’, $user[‘user_email’], $pass_change_email[‘message’] );
$pass_change_email[‘message’] = str_replace( ‘###SITENAME###’, $blog_name, $pass_change_email[‘message’] );
$pass_change_email[‘message’] = str_replace( ‘###SITEURL###’, home_url(), $pass_change_email[‘message’] );

wp_mail( $pass_change_email[‘to’], sprintf( $pass_change_email[‘subject’], $blog_name ), $pass_change_email[‘message’], $pass_change_email[‘headers’] );
}

if ( ! empty( $send_email_change_email ) ) {
/* translators: Do not translate USERNAME, ADMIN_EMAIL, NEW_EMAIL, EMAIL, SITENAME, SITEURL: those are placeholders. */
$email_change_text = __(
‘Hi ###USERNAME###,

This notice confirms that your email address on ###SITENAME### was changed to ###NEW_EMAIL###.

If you did not change your email, please contact the Site Administrator at
###ADMIN_EMAIL###

This email has been sent to ###EMAIL###

Regards,
All at ###SITENAME###
###SITEURL###’
);

$email_change_email = array(
‘to’ => $user[‘user_email’],
/* translators: Email change notification email subject. %s: Site title. */
‘subject’ => __( ‘[%s] Email Changed’ ),
‘message’ => $email_change_text,
‘headers’ => ”,
);

/**
* Filters the contents of the email sent when the user’s email is changed.
*
* @since 4.3.0
*
* @param array $email_change_email {
* Used to build wp_mail().
*
* @type string $to The intended recipients.
* @type string $subject The subject of the email.
* @type string $message The content of the email.
* The following strings have a special meaning and will get replaced dynamically:
* – ###USERNAME### The current user’s username.
* – ###ADMIN_EMAIL### The admin email in case this was unexpected.
* – ###NEW_EMAIL### The new email address.
* – ###EMAIL### The old email address.
* – ###SITENAME### The name of the site.
* – ###SITEURL### The URL to the site.
* @type string $headers Headers.
* }
* @param array $user The original user array.
* @param array $userdata The updated user array.
*/
$email_change_email = apply_filters( ’email_change_email’, $email_change_email, $user, $userdata );

$email_change_email[‘message’] = str_replace( ‘###USERNAME###’, $user[‘user_login’], $email_change_email[‘message’] );
$email_change_email[‘message’] = str_replace( ‘###ADMIN_EMAIL###’, get_option( ‘admin_email’ ), $email_change_email[‘message’] );
$email_change_email[‘message’] = str_replace( ‘###NEW_EMAIL###’, $userdata[‘user_email’], $email_change_email[‘message’] );
$email_change_email[‘message’] = str_replace( ‘###EMAIL###’, $user[‘user_email’], $email_change_email[‘message’] );
$email_change_email[‘message’] = str_replace( ‘###SITENAME###’, $blog_name, $email_change_email[‘message’] );
$email_change_email[‘message’] = str_replace( ‘###SITEURL###’, home_url(), $email_change_email[‘message’] );

wp_mail( $email_change_email[‘to’], sprintf( $email_change_email[‘subject’], $blog_name ), $email_change_email[‘message’], $email_change_email[‘headers’] );
}

if ( $switched_locale ) {
restore_previous_locale();
}
}

Thread Starter saltyruss
(@saltyruss)

4 years, 2 months ago

@thebengalboy

What does “Selected user role are considered for import” on the Import User Screen?

Russ

Mehedi Hasan
(@thebengalboy)

4 years, 2 months ago

Did you mean this? https://prnt.sc/wnxwxx

This doesn’t have any permission to modify the WordPress user. It just pulls the data into CRM. Takes a user Name and Email to create the leads in the CRM.

Thanks!

Thread Starter saltyruss
(@saltyruss)

4 years, 2 months ago

Hi,
No. The import function in WP ERP >> Tools >> Import >> Import Users to CRM.
Here’s a screenshot: https://prnt.sc/x336le
I agree that it’s strange. A get/echo/print of the email address field shouldn’t create a modified event trigger in the WP base code. Are you losing what you need from the WP user database into an array, or is your code grabbing directly from the email field?

Also,
The CRM states that there are no contacts and only one lead:
https://prnt.sc/x33tf5

However, the status tab states that over 1969 leads are in the system:
see here: https://prnt.sc/x33ggh

Russ

Thread Starter saltyruss
(@saltyruss)

3 years, 11 months ago

I figured out what caused the problem. It was NOT your plugin. It was another routine that was running at the same time I was testing your import. WP ERP is solid.

Russ

Mehedi Hasan
(@thebengalboy)

3 years, 11 months ago

Great, it’s good to hear you figured it out and you got a solution for the problem @saltyruss 🙂

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘WP CRM Sent 1000’s of rogue emails for no reason’ is closed to new replies.