• Resolved sallam

    (@sallam)


    THis is a great plugin.
    But I just found out that it sends admin IP number and other data to users in the email notification they get when someone replies to a comment they made, and if the reply was from the admin, the user is sent their critical data!

    Does this plugin add information to all emails sent by the blog?
    Is there any way I can prevent that please?

    The plugin I use to notify my users of replies to their comments is:
    https://www.ads-software.com/plugins/comment-reply-notification/

    Even if I select to hide technical data in comment notifications, your plugin still add a line displaying an option to block the ip address of the admin (if the reply was from them)..

    https://www.ads-software.com/plugins/wp-spamshield/

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Contributor redsand

    (@redsand)

    You are incorrect. WP-SpamShield does not send critical admin data to users. If this is happening, then something else is changing the standard function of things. As with your last support post, again, you are attributing an issue to the plugin that is not caused by WP-SpamShield.

    WP-SpamShield does add extra data to the notifications that are sent to the admin when a new comment is posted. Yes, there is an option in the Settings page, to turn off extra data in comment notifications, “Hide extra technical data in comment notifications.” It sounds like the other plugin is changing the usage of the notifications incorrectly.

    Your other plugin has not been updated in over two years, so you’re running already running a security risk by using it.

    Please submit a support request per plugin documentation if you have further issues or would like me to look into specifics for you and explain further: WP-SpamShield Support Page.

    Thread Starter sallam

    (@sallam)

    I’m sure its your plugin that adds such data.
    Here is a quote from email sent for a comment notification:

    Blacklist the IP Address: https://mydomain.com/wp-admin/options-general.php?page=wp-spamshield&wpss_action=blacklist_ip&submitter_ip=my.ip.address.number —————————————————————– Additional Technical Data Added by WP-SpamShield —————————————————————– Referrer: User-Agent (Browser/OS): Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36 IP Address: my.ip.address.number Server: host-my.ip.address.number.ISP provider IP Address Lookup: https://whatismyipaddress.com/ip/my.ip.address.number (This data is helpful if you need to submit a spam sample.)

    If I disable adding the tech data, the block ip address line does still gets added, showing admin ip. The url given has your plugin name.

    Plugin Contributor redsand

    (@redsand)

    Please read my response….it does add the extra data…but it only goes to the admin. If it’s functioning differently, then the other plugin is changing the behavior incorrectly. It should not be sending admin emails to regular users.

    Sallam, as I said, please submit a support request at our support page.

    Thread Starter sallam

    (@sallam)

    You’re right, the option to hide tech data solved half the problem. I just want to hide also the line offering to block the ip. Is there such option?
    If not could you guide me to where I can remove it from the code of your plugin files please?

    Plugin Contributor redsand

    (@redsand)

    That line is only sent to admins. If it’s going to regular users, then the other plugin is modifying things incorrectly.

    We do not provide support or advice for hacking the plugin.

    As, I mentioned twice now, please submit your support request to our support page. This is not our main support venue. We will need to email back and forth with you to effectively help you.

    Plugin Contributor redsand

    (@redsand)

    Just a heads up, I checked the code of the other plugin, and my suspicion was correct.

    Plugin Contributor redsand

    (@redsand)

    Lines 242-244 in the Comment Reply Notification plugin are causing the issue:

    $mail_message = apply_filters('comment_notification_text', $mail_message, $id);
    $mail_subject = apply_filters('comment_notification_subject', $mail_subject, $id);
    $mail_headers = apply_filters('comment_notification_headers', $mail_headers, $id);

    These are filters used in the WordPress core function that’s used to notify authors – wp_notify_postauthor(). Duplicating these filters isn’t a great idea…by adding these filters to his own email notification function without any validation or authentication it will create unexpected results.

    It would be one thing if he included all the filters from that function which would allow for some validation on the recipient email addresses, but he did not so it makes validation more of a challenge.

    If you delete those lines or comment them out like below, it should take care of your issue without hampering any functionality:

    /*
    $mail_message = apply_filters('comment_notification_text', $mail_message, $id);
    $mail_subject = apply_filters('comment_notification_subject', $mail_subject, $id);
    $mail_headers = apply_filters('comment_notification_headers', $mail_headers, $id);
    */

    I would alert the author to fix this but it doesn’t seem to be supported anymore.

    The only thing I can do on my end is look into creating workarounds and extra validation for future versions to try and prevent this type of situation from coming up again.

    Thread Starter sallam

    (@sallam)

    Thanks very much Scott. Your help continue to amaze me.
    I guess I’ll stop using that faulty old plugin, and look for a better replacement.

    You are correct. When I tried another comment notification plugin (https://www.ads-software.com/plugins/comment-email-reply/) the problem disappeared.

    Thanks so much for your great help and time.

    Plugin Contributor redsand

    (@redsand)

    You’re welcome, Sallam. I’m glad I could help. ??

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘WP-SpamShield sends admin data to users!’ is closed to new replies.