MainWP allows new user registrations and plugin installations

  • Resolved MatMayer

    (@matmayer)


    9 years, 2 months ago

    I noticed that yesterday three of my sites using the MainWP plugin sent notifications of new user registrations, despite the fact that new user registrations were disabled! Also all of the new users were administrators. Usernames and emails were as follows:

    Username: mainwp-child-id-tC1p
    E-mail: [email protected]
    Username: mainwp-child-id-raFh
    E-mail: [email protected]
    Username: mainwp-child-id-63wn
    E-mail: [email protected]
    Username: mainwp-child-id-TUkl
    E-mail: [email protected]
    Username: mainwp-child-id-VWL3
    E-mail: [email protected]

    When I discovered this today I deleted these users and tried to update the MainWP Child plugin from version 2.0.27 to version 2.0.28. via auto-update but found it impossible as the version number stayed the same. Then I deactivated the MainWP Child plugin and tried to delete it. I was surprised to find the following message:

    You are about to remove the following plugins:

    MainWP Child by MainWP
    Vendi Abandoned Plugin Check by Vendi Advertising (Chris Haas)
    Vendi Abandoned Plugin Check by Vendi Advertising (Chris Haas)

    I don’t know if the “Vendi Abandoned Plugin Check” is a normal part of the MainWP child plugin but I discovered that another plugin was installed on all three sites: “WordPress admin security” by Edward Caissie.

    Another funny thing is that when I tried to replicate this behaviour and get the message about the “Vendi Abandoned Plugin Check” again, I noticed that even after deleting the MainWP Child plugin version 2.0.27. and installing it fresh from the WordPress Plugin Installer I get the old version 2.0.27 again instead of the new one (2.0.28).
    Also there are a couple of php files in the WordPress folders that shouldn’t be there like press.php in /wp-content/plugins

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator James Huff

    (@macmanx)

    I recommend asking at https://support.mainwp.com/support/home so the plugin’s developers can help you with this.

    Same here.
    A new admin user created although I don’t think they have added any plugins and a scan show no changed files.
    I have opened a ticket with MainWP to see if it is a problem with their plugin.

    I just got this response from MainWP which seems to address the issue:

    It’s been about 24 hours since our last announcement and about 48 hours since the first report of any issues (Check here for the original post) .

    Where things currently stand:

    So far we have only see Child sites running version 2.0.26 or lower affected.

    The first report came in about 4 days after the release of the security fix and still only seems to target un-updated sites.

    Update: Septemeber 9th

    We have found that the malicious file makes it look like you are running MainWP Child 2.0.27 even if you are on a lower version so be sure you are running 2.0.28 or higher.

    What we are currently doing:

    Releasing the WordFence Extension for free so you can watch and clean up any child sites that may get affected. This help doc will go over how to get and run the WordFence Extension including restoring original files.

    We have reached out to the WordPress Security email asking for feedback and a possible force upgrade for users who still have not updated.

    Requesting that MainWP users set MainWP as a trusted auto-update plugin in their Dashboard so the plugin auto-updates within 24 hours of a release. Check this help doc on how to set up MainWP as a trusted plugin.

    Join the MainWP mailing list, we mailed all our list members at the release of 2.0.27 that it was an important security update and to update right away. We would love as many people to be on that list as possible .

    Offering our assistance if you need any help, just submit a ticket at https://support.mainwp.com/

    What we are doing for the future:

    While both the MainWP Dashboard and Child code are publicly viewable and auditable on GitHub (Dashboard / Child) and are consistently being reviewed by White Hats looking for flaws in exchange for cash rewards (this how the 2.0.27 fix was put in place before any exploits were reported) we are also having a third party fully review the code base.

    We’ll add the recommendation to set MainWP as a Trusted plugin to the initial MainWP setup steps to make that a more prominent suggestion for new users.”

    Moderator James Huff

    (@macmanx)

    Thanks for sharing your solution!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘MainWP allows new user registrations and plugin installations’ is closed to new replies.