Creates WordPress User Without Consent — Not Acceptable

  • nonaty

    (@nonaty)


    1 year ago

    This plugin creates a WordPress user with Shop Manager privileges without notifying or asking the site admin — and it relies on that user account to maintain its integration with Sendcloud.

    That’s a serious security and transparency issue. The account isn’t optional or secondary; it’s a core part of how the plugin connects to the service, yet there’s no disclosure of this behavior during setup. Silent user creation with elevated privileges goes against WordPress best practices and undermines trust.

    Until this is made transparent and optional, I can’t recommend this plugin for any site concerned with proper access control and security hygiene.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    1 year ago

    *Reads. Puts down coffee.*

    @nonaty Could you please email the plugin team via plugins[at]ww.wp.xz.cn with the details?

    Creating an account (maybe) allowed if the user does consent but without consent that’s not cool.

    developmentsendcloud

    (@developmentsendcloud)

    1 year ago

    Hello @nonaty ,

    Thank you for bringing this to our attention and for outlining your concerns so clearly.

    We understand the importance of transparency and proper access control, especially when it comes to user roles with elevated privileges. While we do currently document this behavior in our Help Center, we fully recognize that this may not be visible or prominent enough during the plugin setup process.

    The information is currently visible in our Help Center article WooCommerce V2 Integration, specifically under the section “Connecting with Sendcloud”.

    We’ve raised this internally for further discussion and are actively reviewing how we can improve communication around this aspect of the integration. We appreciate your feedback and will take it into account as we evaluate next steps.

    Thank you again for helping us improve.

    Safan | Technical Support Specialist

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Creates WordPress User Without Consent — Not Acceptable’ is closed to new replies.