Skip to:

SECURITY WARNING: stop using Private Messaging plugin

  • _ck_


    If you are using the Private Messaging plugin

    by Joshua Hutchins /

    or even Detective’s mod version of it, you need to take it offline immediately.

    There are some very serious, multiple security problems with it.

    If you are running it, your site can easily be hacked.

    Please take this warning seriously, it’s not worth the headache.

    Make sure you delete not only the plugin file

    but the additional files it uses in the bbPress root.

Viewing 16 replies - 26 through 41 (of 41 total)

  • citizenkeith


    Ever since adding _ck_’s security update, we’ve been having a lot of problems with undelivered PMs. Last night I tried to send a forum member a PM about five times, and he never received it. After sending, I would scroll down to check my Sent Messages and none of them were there.

    I’m running bbPress with Private Messaging 0.80.



    It’s possible because I was testing it on 1.0 that 1.0 automatically escapes the mysql values passed and that 0.9 does not. I can’t remember.

    Try adding this before the $bbdb->query


    and see if it helps or if it just add slashes to your text instead and breaks it.

    It may also be a quote problem but I thought the bbpress pre/post text filters should encode quote or any other problematic characters.



    That seems to work. We’re still testing it out but I think we’re in the clear.

    That said, I also added Anne’s notification hack, and we’re not getting any notifications.



    If the notification sends any part of the actual message, keep in mind the messages now contain html and may get rejected by spam filters. Other than that, I dunno.

    Also you’d have to send the email notification BEFORE you do the escape if you send the message or title in the message (or save the original to different strings).




    Can you tell me where specifically to put your email notification hack? I’m not well versed in PHP or coding in general (outside of HTML/CSS). Thanks!

    Hi Citizenkeith, I just saw this now… you’d put the hack at the end of pm_new_message. So my function now looks like this:

    function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){
    global $bbdb, $bb_table_prefix;

    $created_on = bb_current_time('mysql');
    $id_receiver = intval($id_receiver);
    $id_sender = intval($id_sender);

    remove_filter('pre_post', 'post_regulation');

    $bbdb->query("INSERT INTO ".$bb_table_prefix."privatemessages
    (id_sender, id_receiver, pmtitle, message, created_on)
    ('$id_sender', '$id_receiver', '$pmtitle', '$message','$created_on')");

    $to = bb_get_user_email($id_receiver);
    $pm_link = bb_get_option('uri') . 'message.php?id=' . $bbdb->insert_id;
    $message = __("You have a new private message: %1$s nFrom: %2$s nn%3$s ");
    mail( $to, bb_get_option('name') . ':' . __('Private Message'),
    sprintf( $message, $pmtitle, get_user_name($id_sender), $pm_link ),
    'From: ' . bb_get_option('from_email')


    I’m using the PM plugin by Nightgunner5 – is it ok, or is it a risk as well?




    While I have not reviewed Nightgunner’s code, that version is a completely rewrite so I suspect it avoids the pitfalls of the original version and is probably safe to use.

    Cheers _ck_



    Just want to make sure I did it correctly, so with this new code that CK re-wrote….how much do you replace?

    I assume just the function from

    function pm_new_message( $id_receiver, $id_sender, $pmtitle, $message ){


    You replace just that section to the } with the CK rewrite?

    PS thanks for this, security issue=bad

    Olaf Lederer


    I removed the PM plugin some time before, personal messages are often a big problem on forums.

    I think a contact form which is send to the “hidden” user email address is a much better solution

    I think a contact form which is send to the “hidden” user email address is a much better solution

    That would indeed be an awesome feature to have.

    Do you know if this problem is resolved? I had the plugin downloaded onto my bbPress forum for me a few days ago and I was not aware of this topic at the time. Is it now safe to use or should I be taking it off?

    Ben L.

    @nightgunner5 (a graph of the daily downloads) – 18 downloads this week, 6 of which were from today.

    It would benifit the bbPress community as a whole if Matt or MDA (or anyone else with access to the repository) could put up some kind of notice on the Private Messaging plugin page that tells about the security risks.

    Andrea Pernici


    Is now solved ? In the plugin I cannot find that function.

    is it solved? i am afraid now

Viewing 16 replies - 26 through 41 (of 41 total)
  • You must be logged in to reply to this topic.
Skip to toolbar