simple membership plugin user data hacked and available on google

The issue is with how simple membership plugin programs uploaded user data. Under properties the box “world” is checked when it shouldn’t be checked at all if data is uploaded to simple membership.

Please be sure to fix this for all of your members to ensure the data of the users are not compromised through be available on google search.

Website owner’s users data is otherwised compromised if this is not corrected with your programmers.

I’m uninstalling the plugin and finding a more secure option.

Hi,

Under properties the box “world” is checked when it shouldn’t be checked at all if data is uploaded to simple membership.

Can you provide a screen capture so we know what you are referring too.

Thank you

• This reply was modified 5 years, 10 months ago by mbrsolution.

Yes, here’s the screenshot

https://archangelsbless.com/wp-content/uploads/2019/01/Z-user-data-1.png

I deleted the user data files, but they were located under uploads in my hosting file manager under each year and month.

Hi, thank you for sharing the screen capture.

What you are talking about is file permissions. This is not related to this plugin. That is more related to how you set up your sites files and folders permissions in your sever.

Kind regards

• This reply was modified 5 years, 10 months ago by mbrsolution.

I understand what you are saying, however it still shouldn’t be automatically showing on google, the user data.

That is a concern for others using this plugin. I spoke to my hosting provider and they said it is how the plugin is designed with how it stores files.

There should be a way to prevent this from happening to your users on your end with regard to user data.

Thank you for sharing more information. I have submitted a message to the developers to investigate further your concern and suggestion.

Kind regards

I am not 100% sure what you are talking about. Are you referring to a CSV file that you uploaded yourself to import member data? That is not part of the main plugin’s functionality anyway. Maybe used an addon to upload CSV file. I will know more when you tell me what file you are talking about. Your screenshot has it blurred so I couldn’t see the actual file you are talking about.

Here’s where the files were before I deleted them from my hosting account.

Would you please delete all the links I’ve posted in this thread that reference my website. I really don’t want my website links showing up on the search engines for this.

I also have not uploaded user data to my website or hosting file manager so I don’t know how the user-data.xlsx is being generated each month under uploads.

Thank you!

/public_html/archangelsbless.com/wp-content/uploads/2018/02/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2018/04/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2018/06/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2018/01/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2018/07/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2018/08/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2018/03/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2018/09/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2018/05/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/04/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/12/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/06/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/07/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/11/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/08/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/03/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/10/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/09/users-data.xlsx
/public_html/archangelsbless.com/wp-content/uploads/2017/05/users-data.xlsx

Hi,

Would you please delete all the links I’ve posted in this thread that reference my website. I really don’t want my website links showing up on the search engines for this.

Unfortunately we don’t control the files in the thread. You will have to contact wordpress admin staff.

I also have not uploaded user data to my website or hosting file manager so I don’t know how the user-data.xlsx is being generated each month under uploads.

Our plugin does not produce or generate users-data.xlsx files. You must have a plugin that is automatically creating those files for you in your site. You should investigate further this issue. If you don’t know how this is happening in your site, you should speak to your host about this issue.

Kind regards

• This reply was modified 5 years, 10 months ago by mbrsolution.
• This reply was modified 5 years, 10 months ago by mbrsolution.
• This reply was modified 5 years, 10 months ago by mbrsolution.

I am following this thread with keen interest. My own paranoia runs really really deep.

I, too, am curious who/what is creating the user files, and then why they are placing them in the UPLOAD folder.
_____
I noticed that the files shown seem to be monthly files, and the September-December 2018 files are missing (2018/09, 2018/10, etc.). Also, files from before 2017/03 are not shown. Was Feb/Mar possibly the time the issue began?
_____
My own Google Search for [“wp-content” “users-data.xlsx”] found LOTS of this kind of file from MANY different sites, and it IS a serious data breach if only because of an administrator’s ignorance….

A Google search of [“wp-content/downloads” “users-data.xlsx”] showed no results.
_____
Finally, I’ve been reviewing each of the sites I maintain, and I haven’t found any XLS files, much less with the name user-data.

I did find that /wp-content/uploads/2017/ is where most of my images are stored – and shared! So this folder does have to be readable by the “world.” (Sunsetsushi’s original fix won’t work.)

____

So, AFAIK, the “hunt is on” for the plugin that creates “user-data” .xls files puts them in the wp-content/uploads folder.

RJaggers,

I figured out it might have been a plugin I was using a while back but I don’t know the name of it.

It was a free plugin I downloaded after doing a search for “export users” in the plugin panel of wordpress.

How you can tell if you come across this plugin is you export users and the file is called, “User Data” in your download folder.

Even though I did this weekly as a backup type thing, it must have monthly just generated one file in my hosting account called user-data.xsl.

Why didn’t it generate a user-data.xsl file each time I did a download? Maybe it overwrote the original version it created that month… not sure?

I ended up uninstalling this plugin because it just didn’t work anymore or perhaps they wanted you to buy a pro version to do the export, I can’t remember.

The export plugin I’m using now does not create an xsl file in my hosting account.

Strange, but glad to know what this issue was exactly.

• This reply was modified 5 years, 10 months ago by sunsetsushi.

The plugin could have been called…

WP All Export

by Soflyy

SunsetSushi,

Thank you for following up and sharing your findings.

Fortunately I’ve not installed any export plugins.

My personal paranoia still runs deep, but I’m reassured about this particular plugin.

— Rick

Yes, me too. This plugin is secure thank goodness!

At least I know what caused it and what to look for now.

Glad to be of assistance to all to watch out of an export plugin that generates a download file called, “user data”.

If this happens, check your uploads folder inside your hosting file manager files to be sure there isn’t a file called “user-data.xlsx” for each month and delete it along with that plugin.

Happy to find that Simple Membership Plugin is secure and the developers cared enough to research if it was their plugin or not.

Thank you Developers and MBRsolutions!