One month ago, i received a mail from Mika (plugin referee at wordpress.org) telling me that MailPress was temporarily withdrawn from the WordPress plugin repository due to an exploit/vulnerability.
I will not describe here this vulnerability for obvious security reasons (it is a tricky one).
Some other subjects were presented :
## Calling file locations poorly (this is currently fixed in trunk)
## Calling core loading files directly
## Not using Nonces and/or checking permissions
Fixing these points will require large code modifications !
## Asks users to edit/writes to plugin
I did not discussed with Mika the essence of open source but THIS means i have to find another place for the mp-content folder. Mika said :
We cannot accept a plugin that forces (or tells) users to edit the plugin files in order to function, or saves data in the plugin folder.
Plugin folders are deleted when upgraded, so using them to store any data is problematic. [this is why automatic upgrade for MailPress in not recommanded]
Please change your plugin to save those files outside of the plugins folder (in wp-content/pluginname perhaps or wp-content/uploads/pluginname – which would make it work well with multisite, making sure you read http://codex.wordpress.org/Determining_Plugin_and_Content_Directories to understand where the folders are and how best to call them), or if possible, save data to the wp_options tables.
I will not be able to finalize all the modifications before September (summer time).
If you have any advice, please let me know by mail, in the comments or in google group.
Enjoy your summer !
ps : Mika team apparently has no name, i was tempted by : \NCIS for WordPress Codex Inforcement Squad (with a little touch of Leet :-) )