Support

August 9, 2024 at 12:09 pm

Hi there,

Recently we have been getting forwarded emails from our members that look like this:

“I’m checking in to see whether you’re still interested in getting the list of Distribution/Member List.
• BC Play Therapy Association (British Columbia, CANADA, 2024)
• Attendees Counts: 1,000
Let me know your thoughts so that I can share the cost & more information.
Regards,
Saylor– Event Coordinator”

We have been dealing with WP Engine and Sucuri to find out if there was a hack to our system to allow someone the ability to get these lists or if these were just fake emails. Finally, after a lot of back and forth, WP Engine wrote this to us
“went ahead and did an ack-grep for those domains [member emails]. It led me to two CSV files on your file system [redacted]
I see these are in a custom directory inside Uploads called espresso. This would actually mean these are publicly accessible, so if you try to resolve the URL including the file path, the CSV will download, like below: [redacted]
What likely happened is some type of bot would have scraped the site for links to check what data is publicly accessible.
Did you set up the espresso directory or is that the default directory configuration from the plugin authors?”

This is a security issue, I am not sure how it is possible that after downloading the CSV report it becomes public. There should be a warning about that. How do we permanently delete these files and prevent anyone except admin users from accessing them?

Thank you