Version checks are an unnecessary user privacy abuse

I’m currently on /wp-admin/plugins.php?plugin_status=all&paged=1&s but every time I refresh your plugin is trying to send out the following to “https://gravityapi.com/wp-content/plugins/gravitymanager/version.php” as a “version check”. You are checking for updates EVERY TIME. Have you heard of caching?

Here’s the annoying part though. What you’re sending out is completely unnecessary for a version check. Why are you spying on all your customers? And if you are, are you GDPR compliant? Did you obtain permission from the user? How string is your encryption? Is your data encrypted at rest? Are you undergoing yearly security audits? What are your policies on data breaches?

I could ask a hundred more questions but none would get to the root of the matter: you are abusing people’s trust and are collecting information that does not belong to you, without notifying or asking for permission.

{
    "method": "POST",
    "timeout": 15,
    "headers": {
        "Content-Type": "application\/x-www-form-urlencoded; charset=UTF-8",
        "User-Agent": "WordPress\/5.8.2",
        "Referer": "https:\/\/REDACTED.com"
    },
    "body": {
        "of": "gravityforms",
        "key": "5e13d0e0d9afat989465abitch7f9efc6",
        "v": "2.5.15", // your plugin, sure, why not I suppose.
        "wp": "5.8.2", // yeah, maybe to notify if there's incompatibility.
        "php": "7.4.24", // what does this matter to you? WP runs.
        "mysql": "10.3.31", // again, none of your business.
        "version": "2", // beats me why you need to duplicate this.
        // list of all plugins installed, active or inactive, in my wordpress installation that's running on my server. Why the hell do you need this? How does this help you check for a new gravityforms version?!
        "plugins": "[{\"name\":\"Advanced Custom Fields PRO\",\"slug\":\"advanced-custom-fields-pro\",\"version\":\"5.11\",\"is_active\":true},{\"name\":\"Classic Editor\",\"slug\":\"classic-editor\",\"version\":\"1.6.2\",\"is_active\":true},{\"name\":\"Cloudflare\",\"slug\":\"cloudflare\",\"version\":\"4.7.0\",\"is_active\":true},{\"name\":\"Comment Rating Field Pro\",\"slug\":\"comment-rating-field-pro-plugin\",\"version\":\"3.5.8\",\"is_active\":false},{\"name\":\"EWWW Image Optimizer\",\"slug\":\"ewww-image-optimizer\",\"version\":\"6.3.0\",\"is_active\":true},{\"name\":\"Gravity Forms\",\"slug\":\"gravityforms\",\"version\":\"2.5.15\",\"is_active\":true},{\"name\":\"Gravity Forms + Salesforce: API\",\"slug\":\"gravityformssalesforce\",\"version\":\"1.6.0\",\"is_active\":false},{\"name\":\"Gravity Forms Mailchimp Add-On\",\"slug\":\"gravityformsmailchimp\",\"version\":\"5.0\",\"is_active\":false},{\"name\":\"Gravity forms pre populate add-on\",\"slug\":\"Gravity-Forms-Prepopulate-master\",\"version\":\"0.1\",\"is_active\":true},{\"name\":\"MainWP Child\",\"slug\":\"mainwp-child\",\"version\":\"4.1.8\",\"is_active\":false},{\"name\":\"Official StatCounter Plugin\",\"slug\":\"official-statcounter-plugin-for-wordpress\",\"version\":\"2.0.6\",\"is_active\":true},{\"name\":\"Pronamic Google Maps\",\"slug\":\"pronamic-google-maps\",\"version\":\"2.3.2\",\"is_active\":true},{\"name\":\"Query Monitor\",\"slug\":\"query-monitor\",\"version\":\"3.7.1\",\"is_active\":true},{\"name\":\"Really Simple SSL\",\"slug\":\"really-simple-ssl\",\"version\":\"5.1.3\",\"is_active\":false},{\"name\":\"Redirection\",\"slug\":\"redirection\",\"version\":\"5.1.3\",\"is_active\":true},{\"name\":\"Sucuri Security - Auditing, Malware Scanner and Hardening\",\"slug\":\"sucuri-scanner\",\"version\":\"1.8.30\",\"is_active\":false},{\"name\":\"WP-SpamShield\",\"slug\":\"wp-spamshield\",\"version\":\"1.9.21\",\"is_active\":false},{\"name\":\"WP No Category Base\",\"slug\":\"wp-no-category-base\",\"version\":\"1.1.1\",\"is_active\":true},{\"name\":\"Yoast SEO\",\"slug\":\"wordpress-seo\",\"version\":\"17.6\",\"is_active\":true}]",
        // nothing below is needed for a version check.
        "tn": "REDACTED", // you don't need my name
        "tu": "",
        "tv": "1.1",
        "ta": "REDDACTED.com", // you don't need my domain
        "tau": "https:\/\/READACTED.com\/", // no need for this either
        "im": false,
        "fc": 2,
        "ec": "345",
        "emc": "364",
        "api": 0,
        "emeta": 4455,
        "ed": 4455,
        "en": 86,
        "lang": "en_US"
    }
}

This should be a simple GET to your public URL that spits out a version number. Then internally handle notifying the user of the new version. That’s it. That’s a version check.

Last note: At least have the decency to set a short timeout for the request. I got to this junk because I’m on a local dev env and I’m waiting 30+ seconds for your plugin to get on with it. Poor practices all around.

Hi Frank. I recommend sending this in with a support ticket for an official response:

https://www.gravityforms.com/open-support-ticket/technical/

© 2008 - 2021. Gravity Forms is a project by Rocketgenius Inc.