redart599

@wfmargaret Oh and the testing you advised was completed successfully. “I’d also like you to test a standard email sent by Wordfence. In?Wordfence > Diagnostics > Other Tests, please send a test email to yourself. Then, check the email logs and see where the email was sent. Please let me know what you find!”

Email arrived and was not sent anywhere else.

Note that while I have not seen any further signs of activity to the hacker’s email, since the file was removed from my WordPress root directory. However a copy is available

I realised that here is a different in the wording of the email that I missed. The password recovery attempt versus the password reset emails. So this fake user was somehow masquerading as an admin, is that Correct, and nothing malicious couldhave been happening to their account or information because the password reset email was sent to the correct address, is that correct understanding?

@wfmargaret Yes this nefarious email address ([email protected]) has successfully received password recovery emails. Here’s an example: https://app.screencast.com/kPDwzoa9u8XB3 the user’s email address has been blurred. That email address is a valid user and valued customer. There are numerous cases of this that I can now find, and of interest is the time of the emails to the real user being sent to the hacker email. See this screenshot: https://app.screencast.com/vhS0TuBiGLUdmSo my question remains, why are password recovery emails able to be sent to non verified email addresses?

@wfmargaret The Password recovery emails were being sent to an email address not registered with any of our users. Why is this possible? Why is there not a verification for backup email address for each user?

In this case I suspect our user’s accounts somewhere had been hacked and this person was trying to gain wider access to their information.

Here is a screenshot of an entry in my email log. I use WPO365 as my email sender and wonder if I need to make specific changes to ensure that is fully used, not wp-mail?
https://app.screencast.com/UFXQGnOtzH0E5

Hi Marco,

I’ve been using computers regularly, for home and business, since 1986. Requests for product reviews are ubiquitous and I usually take the shortest polite way forward. However, when a product and the business behind it provides exemplary service in support of that product, I want them to succeed.

My world is a better place because of you and your work.

Thank you.

Nick

• This reply was modified 9 months, 2 weeks ago by redart599.

I have the same issue. As WordPress has stopped support and updates for PHP V 8.0, when I go to upgrade I can check for incompatibilities and This plugin shows potential risks. Is there any plan to update the plugin or do I need to find another solution?

Hi, This error message suggests the vulnerability still exists even in the latest version 12.4.2:
https://itsec-site-scanner.ithemes.com/vulnerability-details/djIubG9jYWwuTUQ4anl3OUkwdDB3bDlkVDExTnhkUF9PVkZCNG5GWEgxbU15Z25XQ3g4OXRoTVZpWXFIQ3RNMExwaUdtQ01sbEd5Z1l4cllFcmpmQktzdEx0SEFNVkVSWEhWYmMwZmhQYmp5eGhOWE9LejV6Zko5d19HeGVoZHVRSXlGQjFGTjhQeFdEZWJtNjJLN1Z4V21oY2lSZWotaVFLLTRZcTRmQ0dsa0JQMHFqcnVNQ3lOTDZpVWRjSmdYc3V3T1FKWFdOdE0wazlYNHZOYm52TGhXWkNseTVGclE2MGtoZXpQbGlONEVjamZsY1QzZzl0cXlBSEt1RFROay1LOFFUNl9yXzd5Q3ZDVGF0aE5Ua0dWVGRQNUlDUS1TZXRPVG1xUlk2NU9mS0VjZEFIS19ZYUVyOEktVFZCYWtpcEpidmpYZHNJUS1YRzZFMGhUUUpwTDBqMnhXSC15UFljMGlVUzNpRXMtMVZCWjk3MDFzNU9mYV9Md2VtNDkwdElmOEhrbm83Qm1Qam5RZWNRUQ%253D%253D?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuYmYiOjE2Nzk5NjUxNTQsImlhdCI6MTY3OTk2NTE1NCwiZXhwIjoxNjgwNTY5OTU0LCJncmFudCI6Iml0c2VjLXNpdGUtc2Nhbm5lci1tYW5hZ2Utc2NhbiIsInVzZXIiOjJ9.EQT02ggOWxHKlX993kWZNmrDYFCY0Pf-U7sPupmhRJY

Thanks, but . . .

If it was a conflict with plugin or theme, why would the backend work totally flawlessly for all admins (another 9) apart from these two? The others access from several different locations around the world and these two both use the same ISP.