If I'm reading this correctly, they're essentially admitting to some of the malicious features described by the researcher, but claiming that they were included for support purposes, or as a way of sabotaging sites using pirated versions of their plugin.
1. Including features which can remotely grant unauthorized access or cause damage to a user's web site is inappropriate under any circumstances. Even if they're your customers, or if they aren't your customers, or whatever. You don't do that.
2. Pipdig hasn't come up with any sensible explanation for why their license checks were pointed at a competitor's web site. It's not even clear why the license check would be architected in a way that allowed for this.
3. Altering user's site content to change links from Blogerize to Pipdig is beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't even consistent with the behavior of the code presented.
4. Obfuscating the code surrounding all of these questionable bits of functionality stinks of wrongdoing. It's understandable for a license check to be a little obfuscated, perhaps, but there's no reason why a remote administration feature should be (even if it had any reason for existing).
We're just a poor small company... that is acts maliciously against our competitors using our code we sell to clients who have no idea! we're sorry we got caught and it's hard to explain why this isn't bad.
Oh and they deleted repos apparently, gotta hide the evidence
"But all my customers love and trust me!" == "I'm just an above-average con man."
"But I was just doing this to support them without bothering them!" == "I'm clearly not ready to take responsibility and fess up to anything because I thought my deceptively named functions would fool everybody (and still do)."
"But my girlfriend and I love cat memes!" == "Please, for the love of god, can we forget about all this and talk about cat memes instead?" [I honestly have no clue what he was trying to get at in the first six paragraphs...]
It sounds like they got a little overaggressive fighting with the company that had hijacked their themes and were selling them last year.
They were probably obfuscating those functions to hide them from the people selling their themes. Sounds like they were also disabling this plugin as well.
But they definitely went about things the wrong way, including functions like that and obfuscating them is definitely not the right way to do things.
I think a simple, we're sorry we had included these functions in this manner to combat the company stealing our themes last year. We understand this was wrong and a fresh clean version of the plugin will be out this week.
We will do things the right way from now on, you can trust us and we welcome audits of all our code.
> Firstly, the plugin includes a content filter that automatically replaces references to Blogerize, a service which claims to be a beginner’s blogging course, with references to Pipdig’s own services.
Generally speaking, most WordPress plugins alter the presentation or functionality of a site, not its content. There's some exceptions, like search-and-replace [1], but even in those cases the functionality is made obvious to the user.
> Phil you need to stop with the lies. Not only do you outright lie about having the ability to kill sites with your plugin, you state that this was implemented in response to a security breach you experienced in July 2018. The code was implemented in November 2017.
If I'm reading this correctly, they're essentially admitting to some of the malicious features described by the researcher, but claiming that they were included for support purposes, or as a way of sabotaging sites using pirated versions of their plugin.
1. Including features which can remotely grant unauthorized access or cause damage to a user's web site is inappropriate under any circumstances. Even if they're your customers, or if they aren't your customers, or whatever. You don't do that.
2. Pipdig hasn't come up with any sensible explanation for why their license checks were pointed at a competitor's web site. It's not even clear why the license check would be architected in a way that allowed for this.
3. Altering user's site content to change links from Blogerize to Pipdig is beyond the pale. Pipdig's explanation of this feature is incoherent; it isn't even consistent with the behavior of the code presented.
4. Obfuscating the code surrounding all of these questionable bits of functionality stinks of wrongdoing. It's understandable for a license check to be a little obfuscated, perhaps, but there's no reason why a remote administration feature should be (even if it had any reason for existing).