• Resolved ezly

    (@ezly)


    Hi,

    Just now i discovered that a new user with username ‘admin’ had been created, with user role subscriber and no registered email address. This scared me a little

    Using Defender Pro I can see the IP address:

    Description
    added a new user: Username: admin, Role: Subscriber

    Context
    users
    Type
    user
    Ip Address
    185.234.217.175
    User
    Guest
    Date / Time
    May 10, 2020 4:13 pm

    I then googled this IP address, and landed on this page:
    https://www.abuseipdb.com/check/185.234.217.175

    The top abuse listing as well as multiple others, mention this plugin:
    “Forbidden directory scan :: 2020/05/08 06:36:49 [error] 1046#1046: *322858 access forbidden by rule, client: 185.234.217.175, server: [censored_2], request: “GET /wp-content/plugins/custom-registration-form-builder-with-submission-manager/readme.txt HTTP/1.1”, host: “[censored_2]”

    Seeing as there seem to be no other questions about this, what do we do?

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Support RegistrationMagic Support

    (@registrationmagicsupport)

    Hi,

    We need to replicate the reported issue at our end hence we would require further details. If feasible, please raise a ticket at our support forum: https://metagauss.com/help-and-support/ in order to provide you a speedy resolution.

    Thread Starter ezly

    (@ezly)

    just letting you know i have sent you a message through that support page

    The same issue on my site! Please, share the resolution here.

    I deleted the ‘admin’ user.

    The alert message that I received before that from Wordfence was:

    High Severity Problems:
    * An admin user with the username admin was created outside of WordPress.

    How is possible that? Is this a security risk from the plugin?

    • This reply was modified 4 years, 10 months ago by Nikola.
    Thread Starter ezly

    (@ezly)

    hey nikola,

    do you mind sharing what other plugins you have installed so we can compare?

    i gave the plugin developer access to my site and this is their response so far:

    “However, we have found that the user account you reported did not go through RegistrationMagic’s form. There is no Inbox entry for this registration. So it is possible that another plugin could be reason behind it.

    We can see you brought the site back online now. So we’ll do some further testing on our end and get back to you with more updates.”

    Thread Starter ezly

    (@ezly)

    Here are my active plugins:

    InfiniteWP – Client
    Admin Columns Pro – Advanced Custom Fields (ACF)
    Advanced Custom Fields: ACF Country
    AddFunc Head & Footer Code
    Admin Columns Pro
    Advanced Custom Fields PRO
    Akismet Anti-Spam
    Classic Editor
    Code Snippets
    RegistrationMagic
    Dashboard Columns
    Duplicate Post
    Interlinks Manager
    WPBakery Page Builder
    Mailster – Email Newsletter Plugin for WordPress
    Nelio Content
    Piklist
    Really Simple SSL
    Redis Object Cache
    Related Posts
    Remove Dashboard Access
    Simple Tags
    Term Management Tools
    WooCommerce
    Yoast SEO Premium
    WP All Export Pro
    WP All Import Pro
    Wordpress Automatic Plugin
    Defender Pro
    Hummingbird Pro
    WP Mail SMTP
    WP All Export – User Export Add-On Pro
    WP All Import – ACF Add-On
    WP All Import – User Import Add-On Pro
    WPMU DEV Dashboard

    Here are my active plugins:

    GA Google Analytics
    Genesis Simple Edits
    Genesis Simple Share
    Genesis Simple Sidebars
    JoomSport
    JoomSport Predictions
    Loco Translate
    RegistrationMagic
    Say What?
    Simple Social Icons
    TablePress
    UpdraftPlus – Backup/Restore
    Wordfence Security
    WP User Avatar
    Yoast Comment Hacks
    Yoast SEO

    Is there a resolution?

    Thread Starter ezly

    (@ezly)

    Nope.. They couldn’t find an exploit. My site got hacked really bad after my last message, spend the whole night cleaning malware and switching everything over to Woocommerce. Should have just deleted the plugin right after the first breach, maybe that would’ve saved me from my db getting stolen.

    There were other vulnerabilities found in RM only a few months ago as well if you look at exploit registry sites, but I’m still only guessing about suspecting them. I’ll be keeping an eye on this and if anything might happen in the meantime I’ll report it here.

    @ezly Sorry to hear this. It sounds really bad!

    Did you delete the ‘admin’ user when this happened?

    I deleted it almost immediately. And luckily, I’m still not hacked. Or I don’t see such signals for now.

    Do @registrationmagicsupport care about this serious security issue?

    Plugin Contributor registrationmagic

    (@registrationmagic)

    Hello ezly (@ezly) and Nikola (@combobets),

    Please rest assured we are following your posts and looking through the reported issue, and the possibility of happening it through RegistrationMagic. So far we do not have any leads, but our team is still on it as I write. As soon as we have an update we will post it here.

    Also, any old security weaknesses reported were all fixed months ago. In fact, we had updated most of the code with improved security checks.

    Regards.

    Plugin Contributor registrationmagic

    (@registrationmagic)

    Hello ezly (@ezly) and Nikola (@combobets),

    We appreciate your patience. While, we could not convincingly conclude that the user account was created through RegistrationMagic code, in our recent release,
    v4.6.0.9, we have introduced mechanism which provides additional security for any such attempts – . Not to say it was weak before, but it should be doubly safe now.

    Please do update to latest version and let us know if you face any other issue while using RegistrationMagic.

    Regards.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘Unknown user ‘admin’ created’ is closed to new replies.