I reply to all queries on the forums and via email, once per day, Monday to Friday (not weekends).

If you are new here, please see some information on how to ask for support. Thank you!


dashed-slug.net Forums General discussion *URGENT – SECURITY BUG*

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
  • #2349

    Hi, First of all thank you for such an amazing plugin. I have found a bug that compromises security in this plugin. I am not going to put this out here as it can be misused, could you please provide contact information so I can explain it to your team. Regards.



    Thank you for finding this and for reporting it to me.

    You can find my contact email at https://www.dashed-slug.net/contact/

    I will look at it today and if it is indeed a problem I will release a fix ASAP.

    thanks again

    kind regards,


    Thank you for reporting this. I am posting here for the benefit of anyone else reading this.

    You describe that the get_user_info JSON call divulges user names. This is not a bug, but works as intended and is documented behavior.

    I do intend to replace this API in the future with something that does not divulge user names, but it will be done when I rework the API because it’s an architectural change and is tied to a lot of other things that also need to change.

    For the time being you can disable the “send funds to user” capability from any user roles that you do not wish to be able to see user names. These users will not be able to initiate internal transfers or use the [wallets_move] shortcode, but the deposit/withdrawal functionality will still be there.

    Again thanks for reporting.

Viewing 3 posts - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.