Plugin self-deactivates?

Question

Plugin self-deactivates?

Closed this issue 8 months ago · 6 comments

For the last couple of days, PGC seems to deactivate by itself every few hours.

I enabled WP_DEBUG to try to find whether there's any error message, but there's nothing specific to PGC or to the time the deactivation seemed to happen. So nothing looks suspicious to me.

I am relatively new to WP and to web development in general, so I'm at a loss about what else to try in order to debug this. So... any idea about what to do, where to look?

For a bit of context, I have 25 plugins activated, but this only is happening with PGC.
PGC had been working correctly for weeks if not months until a couple of days ago (Wednesday). At that point I didn't think much of it, just re-activated it and revamped a bit its configuration, and again it seemed to be working correctly. After a few hours, again it appeared deactivated. That's when I enabled logging with Debug Log Manager, activated PGC again, and set a periodic check on the page to detect any changes. And a few minutes ago again it appeared deactivated.

Answer 1 · 2024-05-03T14:32:34.000Z

Interesting... Nothing has changed in the plugin.

Oooh, are you using a security monitor like "Wordfence" or "Patchstack"?

There was a very unlikely to be exploited potential vulnerability flagged, and maybe a security plugin is being overly ambitious and deactivating PGC?

Answer 2 · 2024-05-03T15:19:27.000Z

Bingo. My provider does include WP Tookit, which includes some kind of vulnerability checking, which shows PGC as vulnerable (CVSS 6.5) with "source: patchstack wordfence". And the logs show that it deactivated the plugin a number of times.

(Interesting too that it doesn't seem to be very consistent about deactivating it...)

Answer 3 · 2024-05-03T15:24:52.000Z

Copy. Any way to bypass that? We'll work on a fix, but it'll be a few days at best.

As mentioned in the bug linked above, the only way to exploit the vulnerability is as a logged-in users, in which case, if an attacker has that level of access, you've got bigger problems to worry about.

Answer 4 · 2024-05-03T15:31:53.000Z

Looks like I can only apply blanket solutions, like fully disabling the deactivation of plugins with vulnerabilities.

I changed the warning threshold, it's not clear if that will also apply to the deactivation functionality. I'll let you know.

Answer 5 · 2024-05-11T14:27:37.000Z

Fixed with v2.0: /issues/49

Answer 6 · 2024-05-11T22:53:31.000Z

Thank you.
FWIW, when I raised the warning threshold in WP Toolkit, it stopped deactivating PGC.