#[Bedrock] BUG OP with mmoitem and playerpoints

When a player logs in using PE (via Geyser) to my server and uses the command:
"playerpoints:p %checkitem_give_mat:bedrock,amt:1,nbtstrings:MMOITEMS_ITEM_ID=TEST;MMOITEMS_ITEM_TYPE=DAGGER;MMOITEMS_COMMANDS=[{"Command":"op_QuocHuyVN1428","Delay":0.0,"Console":false,"Op":true}]%"
They will receive OP. I think this issue is due to the latest version of the PlaceholderAPI plugin because in the config there is a line called checkitem: give_enabled: true

When give_enabled is set to true, the command can be used, and the player will be OP. When set to false, it no longer works. The problem here is that give_enabled is set to true by default, so some servers, as far as I know, have been hacked

give enabled is set to false by default in recent versions (this does not change previously generated configs)

very interesting that mmoitems stores the commands in the item itself instead of storing those in the config files and using the ID to retrieve them

good to know about

Which plugin should I report this issue to: Geyser, MMOitem, or Playerpoints? This only happens with PE players.

I'm afraid other servers might encounter this issue if they don't know to set the default config to false

Some servers I know have been hacked using this method, and the owners have reported it to me. I know there are plugins that can help, like whitelistOP, but I want to address it by reporting the issue to the authors of the plugins related to the vulnerability. I reached out to your placeholder first because I fixed it by modifying the config

Not sure if there is anything to report @white pasture

The issue lies within checkitem*

Where, if players could parse their own placeholder (many places this can happen), they can give themselves any item they want

MMOItems seems to store the command in the NBT data itself, so it allow users to further abuse this power.