Starter plan: Plugins are allowed to be installed

[niranjan-uma-shankar]

Context and steps to reproduce

Reported originally in: p58i-jnK-p2#comment-67000

On a Starter plan site, I was able to install a plugin, and this should not be allowed. The plan is a low cost $5/mo plan and does not support plugins, as confirmed in p58i-jnK-p2#comment-67060. This bug is opening a backdoor for a cheap atomic plan.

Steps to repro:

1. On one of your accounts, add a Starter plan by following 37336-pb
2. Go to the plugin marketplace and add Astra Pro plugin.
3. Notice that you are able to add the plugin and take your site atomic without requiring an upgrade to Business

p58i-jnK-p2#comment-67000 has the blog RC for the site that went atomic on a Starter plan.

Site owner impact

Fewer than 20% of the total website/platform users

Severity

Major

What other impact(s) does this issue have?

No response

If a workaround is available, please outline it here.

No response

Platform

No response

[github-actions]

OpenAI suggested the following labels for this issue:

• [Feature Group] Plugins: The issue directly concerns the installation of plugins, which is a core functionality governed by plugin management.
• [Feature] Astra Pro: The specific plugin mentioned in the issue is Astra Pro, which is being improperly installed on a Starter plan.
• [Feature] Plugin Management: The issue highlights a problem with how plugins are managed in relation to different WordPress plans.

[supernovia]

📌 REPRODUCTION RESULTS

• Tested – Could Not Replicate / Uncertain

📌 FINDINGS/SCREENSHOTS/VIDEO
Could't add starter; steps unclear

add a Starter plan by following 37336-pb/

📌 ACTIONS

• Requested author feedback

📌 Message to Author
@daledupreez can you clarify the steps to add a Starter plan? I wasn't able to find it in the list, and the link you shared isn't linking for me.

[niranjan-uma-shankar]

@daledupreez can you clarify the steps to add a Starter plan? I wasn't able to find it in the list, and the link you shared isn't linking for me.

@supernovia I assume you meant to tag me. Can you check if 37336-pb is linking for you? This is a pastebin shorthand which you can find in PCYsg-5Xx-p2

[supernovia]

Oops! You're right! And the link works now; it didn't earlier. Thank you!

[supernovia]

📌 REPRODUCTION RESULTS

• Tested on Simple – Replicated

📌 FINDINGS/SCREENSHOTS/VIDEO

• I confirmed that free plugins asked me to upgrade
• I was also prompted to activate hosting features
• BUT I was able to "purchase and activate" premium plugins from the marketplace and shouldn't have been
• I also noticed when I go to /wp-admin/plugins.php I'm blocked from that

Sorry, you are not allowed to access this page.

📌 ACTIONS

• Triaged
• Assigned to @Automattic/bespin

[niranjan-uma-shankar]

@mreishus Is this related to your work in https://github.com/Automattic/wpcomsh/pull/1010? The PR talks about exposing the feature to proxied connections, but I am able to reproduce the issue on unproxied connection too.

Site: niranjanwpcomtest1120325t1.wordpress.com