Skip to:

Users (spammers) can send private message with unactivated account

  • ajaxthemestudios



    I discovered that users (spammers in this case) can send private messages and spam other users even though their accounts are yet to be activated by WordPress.
    Is this how Buddypress is designed or is this a bug?


Viewing 3 replies - 1 through 3 (of 3 total)

  • Varun Dubey



    User will not able to log in and if they will try to log in, they will get the following message.

    ERROR: Your account has not been activated. Check your email for the activation link.

    For spammers:

    ERROR: Your account has been marked as a spammer.

    Paul Gibbs


    If you can find if this is actually happening and how to recreate it step-by-step, we’re of course more than happy to fix it.




    This is how it happened. We got an email from registered members that they are being spam. Another member was sending them SPAM messages.
    The mail sent to them contained the name of the member so we searched for it. We also got the spammer’s account username and link by checking the affected members messages directly under their profile page on the frontend. The spammer has a profile page already. However, the username could not be found in the users section of the backend.
    Then we checked users that have not activated their account or received the activation email through a plugin named Unconfirmed.
    That was when we found the spammer info meaning the spammer has not activated his/her account yet but is already interacting with the community.
    That I cannot explain why it happened. It seems even though the user has not activated his/her account, he/she is already recognized by buddypress.


Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.
Skip to toolbar