Installed without consent, bad company

A user installed this plugin on my network without install_plugins capabilities via StudioPress’s Genesis theme. Today, I got notified that a security fix had been committed for one of the plugins on my network.

I inspected the security fix, and practically, a user was permitted to install this backdoor. No wonder it got 100k+ installs while being a most obscure addition to WordPress.

The Genesis theme also installed a couple of Awesome Motive plugins via this, a company that goes against everything WordPress that I wouldn’t dare to touch with a 10-foot cable. They do this via genesis_do_onboarding_pack_selection(), which checks for manage_options, not install_plugins or is_super_admin(), allowing anyone to hijack an open WordPress Multisite network.

I reported these security issues to them two years ago, but obviously, they still haven’t been resolved. They show no care about your website.

Moreover, this plugin pollutes the global namespace with functions like is_heading() (without a namespace). I don’t know who StudioPress is hiring nowadays, but the senior developers are long gone since its merger with WP Engine.

Amateurs.

You shouldn’t have ignored my previous calls, so enjoy this stain on your record.