Imported CSVs/TXT files saved to Media Library - not deleted

[marcusjwilson]

Great plugin, but...

I've noticed that, whenever we do an import, the file imported seems to be saved as a Private Attachment in the wp_posts database table, and also saved to the Media Library as a .txt file (or maybe it's the log from the import that is saved?) in the format db2438ef4cbc3ae2b29bfa5c59449473.txt.

I'm unable to look up the txt file in the Media Library, but it does seem to have been indexed by WPSearch plugin, and appears in search results for the site, which is a security issue, of course.

Uploaded CSVs, or TXT files containing user data, should presumably not be stored in the Media Library folders, even if the file name is obscure.

Best wishes Marcus

[LCmry]

Hi @marcusjwilson thanks for the report.

appears in search results for the site

Does this occur for anyone who is not the site admin?

Additionally, the file should be deleted 1 day after import, which I will check into.

[marcusjwilson]

Ah, thanks!

I had to delete the files immediately when I saw them appearing in search results, so I'm not sure if they would have disappeared in 24 hours.

We have a slightly weird set up on our site that Members do see Private Posts and Attachments in search results - it's just the way we set things up - so maybe that is why we're seeing this issue, and other users of the plugin aren't. We're using SearchWP plugin, which indexes new Posts (including attachment) to a new database table, so this may have picked up on the attachment and presented in search results, where a standard WordPress search wouldn't.

We may just need to remember to delete these files and attachments manually for now.

Best wishes Marcus