App Is Auto-Updating Despite Auto Updating Being Disabled

  • Resolved Stef

    (@serafinnyc)


    1 year, 9 months ago

    How and why is this app updating across 500+ sites automatically since 10 hours ago. On sites that are set to NOT auto-update?

    On a few of the sites the activity of this happening is not being logged or noted. And the sites are not connected thru Woo or WP.

    Is there a security issue in the repo? What’s going on? This is not good. This is like a rogue app on its own.

Viewing 7 replies - 1 through 7 (of 7 total)

  • Yeah, this looks like a forced update for security reasons pushed by (or with facilitation from) the www.ads-software.com team.

    Or the auto-update function settings were broken. It surprises me that part of a forced update (assuming this is what it is) doesn’t include communication about it (and I recommend that to any www.ads-software.com team member reading).

    Thread Starter Stef

    (@serafinnyc)

    Their changelog doesn’t say anything about security update. 2 things only and they’re pretty lame to force an update on folks. Not to mention that the IPs that accessed our clients are all over the place. They’re not one repo IP.

    It’s something rogue about this all.

    I don’t know about the first line, but the second line in the changelog about sanitization and escaping is a security fix (that’s what sanitization and escaping improve). They could (and should) make it a lot more clear, though, obviously!

    7.4.1 – 2023-05-30

    • Fix – Add Order Key Validation.
    • Fix – Add sanitization and escaping some outputs.
    Thread Starter Stef

    (@serafinnyc)

    That I saw, but that’s pretty standard. I was expecting a huge, like, “oops, we blew it and we left a backdoor open and oh well” it was something else. You don’t go and force your way into hundreds of thousands of sites I’m sure for a sanitizing issue, unless it was sticking :o)

    We’ll probably never get the truth either. Hopefully we do.

    Plugin Support dougaitken

    (@dougaitken)

    Automattic Happiness Engineer

    Hey @serafinnyc, good to see your avatar again but not under ideal circumstances.

    Thanks for reaching out, I can appreciate the surprise seeing that the WooCommerce Stripe Payment Gateway had updated when auto updates were disabled.

    There are occasions for updates where plugins have the option to override the default setting, but this is not something the Woo team can do ourselves and this must be authorized and handled by the Plugin Review team.

    There will be an email sent to the Stripe account holder with more details – we wanted to ensure sites were updated before sharing more information about this.

    Please know this wasn’t an update taken lightly. This was a required release that needed to be updated on all sites.

    Thanks,

    Thread Starter Stef

    (@serafinnyc)

    @dougaitken my brotha from another motha. Miss you man. How are you?

    Appreciate that update and look forward to the response from Stripe team as well. Take care.

    Hi @serafinnyc

    You are most welcome! ??

    Meanwhile, I will be marking this thread as resolved. Should you have further inquiries, kindly create a new topic here.

    Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘App Is Auto-Updating Despite Auto Updating Being Disabled’ is closed to new replies.