(2021-08-04, 08:34 PM)Moonface Wrote: Prior to the updates, Thread Description, Upcoming Events, and OUGC Awards were all outdated. I'm wondering if OUGC was the entry point, since it was the 1.8.3 version and the affected moderator account handed out a large number of awards to a singular user during the attack. Either that or the script wanted to be generous to a random user.
Could you share the DB rows for awards granted to that user? It might be possible this plugin is what caused the "backdoor".
But please note, for the moderator to exploit this the moderator account should had been compromised first or the moderator should have been untrustworthy from the beginning, no bug up to today found in the plugin would grant access to accounts in any way.