1. Rafael Ehlers

    Pippin posted that 19 hours ago. Can’t we wait a little bit more until the plugin authors have time to properly respond to that before we make this another public “shame on you” thing? Good lord, what we have become…


    • Jeff Chandler

      No. The plugin has 5 maintainers and no one has responded to the support thread started by Pippin. 19 hours is more than enough time to at least confirm and give out a public statement which of course, I would have happily linked to and quoted. It’s also not a security flaw as some may have implied from the title (my apologies) so I’m not putting any sites at risk.

      I also provided them ample time to respond to my email inquiry. This is not a shame on you type of post, it’s to inform its users that data loss can occur under the right conditions.


      • Samuel Aguilera (@samuelaguilera)

        Dear Jeff,

        Just for the record…

        1.The plugin doesn’t have 5 maintainers. When you see a plugin with many authors, not necessarily means that all of them have the same implication and/or responsabilities.
        2. As you probably know WP.org repositories allows only commits from the user who submitted the plugin at first place (the owner). So it depends always on one person only to submit fixes.
        3. Only that “owner” of the plugin receives notifications when a support thread for his plugin is created.
        4. Not all people are in your timezone. 19 hours in your timezone can be much less working hours in the plugin’s author country depending on the time difference due to different timezone.
        5. I’m in the author list and I didn’t receive any message from you about this (no email, no tweet, nothing…).

        Apart from this. I think this post, and especially the title, is too far from being honest.

        Serious bug? really?

        It was affecting only to users who uses a certain feature, that requires the user to run it manually, and only in a particular scenario (with AffilliateWP installed or any other plugin with ‘afw’ in the options_name).

        After more than 350.000 downloads, this was the first report of this bug (that was there for long time). So I honestly think that it was not too serious if after more than 350.000 downloads no one had the issue until now…

        By the way, I have both plugins installed and never had the problem.

        Best regards.


        • Jeff Chandler

          I was under the impression that each author listed had commit access. Thank you for the clarifications.

          Anytime data loss occurs and in this case, can happen without the user even realizing it is a serious issue to me. You’re correct in that this issue only affects those in certain situations using a specific feature, but it happens none the less. A user decides to do a database scan and the next thing you know, option IDs disappear. That is not cool, is a serious problem, and I’m happy to see a new version that fixes the problem.

          You mean “fwp” in the options name as you can see from the screenshots in the post.

          After more than 350.000 downloads, this was the first report of this bug (that was there for long time). So I honestly think that it was not too serious if after more than 350.000 downloads no one had the issue until now…

          Guess we’ll never know how many option ids were deleted without the user’s consent. I stand by my claim that it was a serious bug even if this is the first time it’s been reported to cause an issue.

          The one point I agree with is that using the word flaw and security in the post title lead people to think it was a serious security vulnerability. I immediately changed the title and wording to reflect that it was not. Lessons learned for the future.


        • Syed Balkhi

          I’m not taking sides here, but I want to clarify that your statement #2 about “only the plugin owner having the commit access” is false.

          A plugin owner / admin can give other users commit access by clicking on the Green Admin button that only the plugin owner sees.

          Also it’s important to note that Authors / Committers are completely separate in the way they’re handled.

          List of Plugin Authors are controlled via the Readme file in the plugin. The committers list is maintained by plugin owner on wordpress.org site for that individual plugin.

          Simply add /admin/ to the end of the plugin URL, and you will see the admin page.

          Also clarification on #3 — each plugin has a support forums RSS tag that you can use to be notified if you have multiple support staff members.


  2. Derp

    Rafael, the wait time you’re referring to is typically meant for vulnerabilities/backdoors etc. Posting this ASAP is actually a benefit for the user since it will hopefully prevent a user from deleting an option before the plugin is fixed. As opposed to waiting to publicly talk abut a plugin that has a back door or vulnerability that someone could exploit. Very difference scenarios.


  3. Miroslav Glavic


    Wasn’t another situation that someone found an exploit, you said she should of waited at least 24 hours before disclosure? yet you only waited 19 hours.


  4. Peter

    As Jeff Chandler already stated in his last comment, the current behaviour of this feature, particularly as it applies to “fwp” option name isn’t a security hole. However the feature does need some improvements in the way it handles false positives.

    We will make those improvements and re-introduce that feature soon.

    Currently we are in the process of releasing an updated version of the AIOWPS plugin today. In that release we are going to temporarily deactivate that feature until we introduce our improvements.

    AIOWPS plugin author


  5. jeffreyhuckaby

    Bringing such conflicts to the attention of the WP community is great. Kudos.

    Using a title that implies a serious issue in a security tool is alarmist.

    Some perspective …..

    1) ~360K downloads of AIOWPS

    2) Of these, only a fraction will be active. Let’s be generous as 25%.

    (Peter if you have the numbers that would be great)

    3) Of the ~90K active AIOWPS installations, only a few will have plugins that conflict.

    Lets be generous again at 25%.

    4) Of the ~22K AIOWPS installs with conflicts, maybe half run the tool.

    So that’s 11,000 out of 75,000,000.

    Let’s say I a off by 10X.

    The issue impacts Just 0.14% of sites.


    • Jeff Chandler

      I learned a few things from the original title I used, especially with using the word flaw and security in the same title. Anywho, as I explained in another comment, any data loss to me is a serious issue. I really don’t like how you and others are using all these number and stats to downplay the issue of data loss, whether it’s critical or not. If I come across or someone reports a plugin that allows users to lose their data without their consent, I’ll use the same verbiage and language because it’s unacceptable. I mean, it almost sounds like you’re ok with just 0.14% of sites being impacted.

      As a user, I place trust and confidence into security tools like All In One Security and Firewall to protect my site. I understand what the scanners do but I definitely don’t understand the things it detects. In this case, I’m aware of what the pharma hack means and I’ll take what the scanner is doing as expected behavior. I trust that it’s doing its job without any negative side effects. As it turns out, that wasn’t the case.

      You’ll never truly know how many things were removed from users databases that shouldn’t have been touched.


  6. Justin Tadlock

    I’m not sure why you’re catching so much flak on this, Jeff. Your reporting was accurate, honest, and a service to the WordPress community. I read the original post title and the new one. Neither are incorrect or alarmist. It’s not your responsibility to teach people how to read.

    Also, whether this is currently an issue for one user or 350,000 doesn’t negate the seriousness of the bug in the plugin. This is also the reason I re-tweeted Pippin’s original tweet on this. It is a serious bug.


  7. jeffreyhuckaby



  8. Ed

    @ Jeff Chandler – THANK YOU!!! Finally the answer to a very difficult mystery problem that I have been trying to figure out for quite a while now. I have 2 users that are using the BPS Pro DB Monitor feature and the All in One… plugin has been deleting data and triggering the DB Monitor. I had been looking in the wrong place and after finding this post I have confirmed that the source of the problem is All in One… Thank you again! Yeah mystery solved finally. ;)


Comments are closed.

%d bloggers like this: