Behaves badly

  • swinggraphics

    (@swinggraphics)


    1 year ago

    Enables the theme and plugin file editor, regardless of DISALLOW_FILE_EDIT! 😮

    Additional negative features:

    Every time it is activated, it adds new user accounts and demo event posts. Not often a problem in production, but definitely on staging and development, and it shouldn’t ever be happening. Probably not even on initial activation, without consent.

    Should not have to create user accounts for speakers and organizers. Could be optional, but should not be required. Email addresses are required for users and obviously not always going to be available or desirable to add.

    And once you delete these default Organizers and Speakers, you then also have to go delete them from Users. Again, that’s any time the plugin is activated.

    Finally, a simple bug: just noticed “Booking Performance” on dashboard has “null0” “null1” “null2” “null3” “null4” on Y axis.

    When they added an admin notice about WooCommerce, they did not make the notice dismissible, so you and other admins always see an error that WooCommerce is required, even when you don’t use that functionality.

    Update January 2026: Just discovered a new problem—This plugin outputs the admin email many times in the source code, for example in etn-public-js-extra.

    • This topic was modified 4 months, 1 week ago by swinggraphics. Reason: New security problem discovered
Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Support Md Mahbub Morshed Chowdhury

    (@faheem96dev)

    1 year ago

    Hi @swinggraphics! 😊
    Thanks so much for reaching out and sharing your detailed feedback — we truly appreciate it!

    Please kindly understand, we only insert demo data on fresh installations to help new users see how events, speakers, and organizers are set up — it’s meant to make onboarding smoother. But yes, we absolutely agree that it should come with consent, and we’ve already noted this for improvement.

    Also, you’re right — the demo data should not be added multiple times on reactivation. That’s a bug, and our developers are working hard to fix it. A patch update is actually being released today to resolve this issue fully.

    Regarding user creation — thanks again, we’re already discussing this with the team and will make it optional in a future update.

    And about the “null” values on the “Booking Performance” chart — we couldn’t replicate that on a fresh install or production: Screenshot. We’d love to check your setup to understand what’s causing it there.

    Lastly, if you feel we’ve taken your feedback seriously (we really have!), and if things look good after the update, we’d be so grateful if you could consider updating your 1-star review to 5 stars 💛 — we’re here to make this a great experience for you.

    Thanks again!
    Best regards,
    M Mahbub

    Thread Starter swinggraphics

    (@swinggraphics)

    1 year ago

    Let me add one more reason for the single star: I spent many hours yesterday investigating and repairing a hacked site because these guys do unnecessary, stupid stuff (crating user accounts), and they do it irresponsibly (allowing unauthenticated users to create user accounts and change their roles).

    Plugin Support Md Mahbub Morshed Chowdhury

    (@faheem96dev)

    1 year ago

    Hi @swinggraphics,

    Just to clarify, unauthenticated users don’t get access to the plugin menu and definitely can’t create user accounts without proper roles and permissions. We assure you that we take security concerns and product quality very seriously. We’d really appreciate it if you could share how it was triggered on your site—if there’s any loophole, we’ll fix it ASAP. Your feedback helps us improve.

    Best regards,
    M Mahbub

    Thread Starter swinggraphics

    (@swinggraphics)

    1 year ago

    Logs showed direct evidence of a hack as described here: https://patchstack.com/articles/critical-privilege-escalation-vulnerability-patched-in-eventin-plugin/ The attackers were able to gain Administrator access and install other plugins. When your plugin does annoying things (like create undesired user accounts), implemented that in a very insecure way that results in a breach, that garners a 1-star review. End of discussion.

    Plugin Support Md Mahbub Morshed Chowdhury

    (@faheem96dev)

    1 year ago

    Hi @swinggraphics,

    We understand your frustration, but we kindly ask you to read the Patchstack blog carefully.

    As clearly mentioned in the article itself (screenshot: https://prnt.sc/6i88s8lDA0Cv), the vulnerability was in older versions of the Eventin plugin. We have already resolved this in the latest version (4.0.29), and the fix was made available promptly after responsible disclosure.

    Also, please note that Patchstack’s blog aims to raise awareness about potential security issues — it doesn’t accuse Eventin of intentional malpractice. In fact, they simply advise users to update to the patched version. Here’s further clarification: https://prnt.sc/uNtlzpj-RrBG

    We’re always working to improve our product, and security is a top priority for us. We encourage all users to keep plugins up to date to stay protected.

    We genuinely care about our users and take all reports seriously. But if there’s still a misunderstanding and you choose to leave a 1-star rating, even after these clarifications and timely fixes, then unfortunately there’s nothing more we can do — though we do believe that would be unfair given the facts.

    Best regards,
    M Mahbub

    Thread Starter swinggraphics

    (@swinggraphics)

    1 year ago

    It has not escaped my attention that you have not spoken to the very first reason I gave for my review: the fact that you enable by force the file editor. There is absolutely no reason you should be doing that.

    To recap: Enabling the file editor, creating undesired user accounts, forced and continual addition of demo data, and my client’s site was hacked because it has your plugin. I don’t see any room for changing my review at this point. I will not be responding any further.

    Also, you need to stop emailing me directly. The fact that you have my email address from an inquiry about your Pro plugin does not mean you should be using it to contact me about issues on ww.wp.xz.cn.

    • This reply was modified 1 year ago by swinggraphics. Reason: Added demand to stop direct emails
    Plugin Support Md Mahbub Morshed Chowdhury

    (@faheem96dev)

    12 months ago

    Hi @swinggraphics,

    Greetings!

    We understood, and thanks for your feedback. You mentioned you won’t respond further, so this will be our last message. We’ve already addressed and fixed the issues you raised in our latest update—please update the plugin to get the fixes.

    Best Regards

    M Mahbub

    Thread Starter swinggraphics

    (@swinggraphics)

    11 months, 1 week ago

    I did not want to reply here, but I must add that their claim to have “fixed the issues you raised in our latest update” is a lie. They still force the file editor enabled, and the plugin still creates unwanted user accounts without choice.

    And a new frustration: even when given permission to access Events, Organizers, etc., users are shown an error message about insufficient permissions when they try to access those menu items. You must also give them Dashboard access.

    Plugin Support Md Mahbub Morshed Chowdhury

    (@faheem96dev)

    11 months ago

    Hi @swinggraphics,

    Thank you for taking the time to share your feedback. We’re truly sorry for the frustration you’ve experienced, and we’d like to clarify a few important points to avoid any misunderstandings:

    1. File Editor Access:
      We want to assure you that Eventin does not force-enable file editing in WordPress. If you’re noticing that behavior, it may be caused by another plugin or a server configuration. To help us understand better, could you please share a screen recording or screenshot of the issue?
    2. User Account Creation:
      Eventin creates user accounts only in specific, purposeful scenarios:
      • When you create a speaker, we register them as a user so they can be associated with events and manage their events easily.
      • When someone purchases a ticket, we make Eventin a customer, WooCommerce (and most eCommerce plugins) create a customer user account. This is standard behavior and helps with order tracking, customer communication, etc.
      If you prefer not to create users for customers, you can disable that functionality by commenting out the following line in your code:
      🔗 View code line to disable
    3. Permission Errors for Custom Roles:
      We’ve noted your point about users seeing permission errors when accessing Events, Organizers, etc., even when given access. This may be another reason, without checking, we can not tell you exactly about this, as we don’t face such issues. We’d love to investigate further — could you please let us know the exact role setup or share a screen recording so we can reproduce and fix this behavior?

    We genuinely want to improve your experience and address any pain points. Please help us with some more details so we can assist you effectively.

    Thank you again for your patience and detailed feedback.

    Best regards,
    M Mahbub

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Behaves badly’ is closed to new replies.