Active attempts exploting WooCommerce

  • Resolved Wudman

    (@wudman)


    3 years, 3 months ago

    For the last 24 hours I have been monitoring a concerted effort by a human bad actor who has succeeded in generating orders where three of the same items are purchased. All three of the same items are listed on separate lines. The Subtotal shows the correct price, but the Total only shows the price of one item. If I order the same three items, they all list on one line with a QTY indicated and the math is correct on both the Subtotal and Total.

    I haven’t be able to replicate ordering three of the same items and have them show up on individual lines AND miscalculate the total. On the spoofed orders, if the payment had been successful, the Order would show three items purchased, but the final charge would be for one.

    This bad actor is playing with three $13 items, so it seems more like a test than a serious threat. Our fulfillment is hands on and even if Braintree authorized the purchase, (which it hasn’t), we’d catch it in the office. Apparently he is using a bad credit card because the gateway is denying the transaction.

    Also, since we are a small student assessment and testing enterprise, we don’t sell any pricey hardware. Even if this bad actor spoofed up a pricey assessment package, we’d catch it in the office.

    If the same spoofing of WooCommerce happens to a business that sells pricey hardware and fulfillment isn’t verified between the front office and warehouse, someone could ship three computers and only get paid for one.

    Additionally
    – the offender uses some version “Donald Cox” in his gmail account.
    – He also uses a fake address in Euless, TX
    – WordFence initially identified his IP addresses from Russia.

    When effected a block of Russia and reduce his role to “No Role On This Site”m he came back, apparently using VPNs to spoof is IP, showing up using an AFRINIC and even a Boston IP. I called Boston, but instituted several IP range blocks and a country block related to the AFRINIC server.

    Yes, I did punch a ticket to WooCommerce. Their initial response was underwhelming, suggesting I use a security plugin to clean the site and have a good day. This site is hosted on WPEngine and I actively use WordFence Premium. So far no malware has been detected and attempts to access forbidden areas automatically result in getting punted from the website and a 24 hour or Permanent Block.

    My assessment is WooCommerce has a bug or an exploit that allows a user with bad intent to create an order that is calculated incorrectly. If it happened to the site I manage, it is likely happening to others.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Mirko P.

    (@rainfallnixfig)

    Hi @wudman,

    Thanks for reporting this.

    I would suggest first of all to make sure you have all the latest updated versions of WordPress, WooCommerce and all other plugins you’ve activated. Sometimes, outdated versions can cause trouble and open the site to exploits.

    Another recommendation would be setting up a duplicate/staging site – deactivate all other plugins except WooCommerce and switch to a default theme like Storefront. You can then spend some time testing the default configuration and see if you’re able to replicate the issue on your staging site. If your host doesn’t offer an option for that, we recommend WP Staging for quickly spinning up a new test site.

    Thanks.

    Mirko P.

    (@rainfallnixfig)

    Hi there,

    Since we haven’t heard from you in a while, we’re hoping that means you were able to get this resolved. I’m going to close this thread out now.

    If you’re still having trouble, please open up a new topic and we’ll be happy to help out.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Active attempts exploting WooCommerce’ is closed to new replies.