Security Issue! Created credentials exposed…

  • I used this app to create a user, that user was a pretty random name, complex, and not publicly known, something like “Aramtias Copestone”, only known to myself and a relative. Within hours after sending that link, my site registered several attempts to login using variations of that very name “aramtias-copestone”. (Of course not the real one I used, but you get the idea.)

    How is that possible? Does your app have a talk-back functionality? Can anyone other than myself, even you who created this app, see this somehow?

    I find this EXTREMELY DISTURBING and am considering reporting this as a security issue to WordPress, I assume they have some kind of reporting function.

    In this I can assure you that me and the other person have reasonable safety measures in our web site and mail management so it is, to our knowledge, impossible for anyone to know anything about this, in particular in so short time span as a few hours.

    The page I need help with: [log in to see the link]

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Asmi Patel

    (@asmipatel)

    Hi @homdax,

    We follow best coding practices and also take care of the WordPress security measures. Also, we haven’t yet heard about this kind of issue from any of our users till now.

    In your case, we would like to point out that if a temporary user is created, the plugin takes care of it and does not allow anyone to log in through that user’s credentials(username, password) and even the password reset is prohibited for that user.

    And no, even we have no control over your data.

    Hope this clears your doubts. Let us know if you have any more insights on this. We will be happy to look into it.
    Thank You!

    Thread Starter hw2junkyarddawg

    (@homdax)

    Hello Asmi,
    I have no reason to doubt your reply, then again, this is rather strange.

    Plugin Support Asmi Patel

    (@asmipatel)

    Hi @homdax,

    Yes, it is indeed strange. Currently, we cannot conclude what exactly (might not even be related to plugin) could have led this to happen but we can assure you that the plugin does handle a lot of security aspects.

    Hope this helps.
    Thank You!

    possible reasons.

    your site is already hacked or has malware.
    It has a vulnerability that allows attackers to get a list of all users/authors.
    If that temp user posted somehting on the site as an author, then his name is then public.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Security Issue! Created credentials exposed…’ is closed to new replies.