Failed Orders – Fake Information

@carike – That would be lovely if everyone could update WooCommerce, however, many sites aren’t in the position to suddenly update the whole WooCommerce library to apply a patch.

@carike Great ! A billion $$$ company cannot pay staff to work correctly and rely on volunteers…
I guess that you all support this ?!

Thank you again @wigster for your help, are you going to edit your code to make it easy to add more @domain in case of future attacks ? It’s so weird that this kind of plugin has never been available until now ?!

Unfortunately not many sites will become aware that they need to install an additional plugin either.
Realistically, an update to security plugin firewalls have the highest probability of protecting the most sites.
Some posters in this thread got their information from the NinTechNet blog.
They have a WAF called Ninja Firewall in the plugin repository: https://www.ads-software.com/plugins/ninjafirewall/
There is no waiting period for their firewall rules, like with the free version of some other security plugins.
People who have interacted with me before know that I am very weary of recommending specific plugins, but it may be a good idea for those who are interested in this thread to see if the current firewall rules for the above plugin already protect against this particular attack.
There are also a number of other options (under Firewall Policies – Basic Policies – General) which may help protect sites.

@celsta I think you may be confusing www.ads-software.com with WordPress.com.
www.ads-software.com is a non-profit organization that is a collaboration between various developers to create free opensource code.
No one is anyone’s customer here.
If you are using paid WooCommerce products, please make use of their support here: https://woocommerce.com/
In the meantime, I am sorry you are having a hard day(s) because of the issues on your site, but you do not get to take your bad day out on me, or on anyone else here.

@carike Thanks for helping out.
I have tried that NinjaFirewall plugin and unfortunately it doesn’t (yet) solve the problem.
The issue in this particular situation is it’s a pretty simple “hack”, and pretty hard to trace—it’s more of a spam technique than a true vulnerability.
I have sites that are fully secure Cloudflare/Amazon WAF/Security plugins/Wordfence/WP Engine/Cloudways etc etc, and the spam orders will still get through as the IP’s they come from and user agents are easily spoofed.

This Spam issue must be a serious issue.
I will try the (@wigster) and see how it work on my site.

I’m also using Woocommerce Stripe Gateway plugin, and have been hacked.
So it must me something related to this plugin or Woocommerce itself.

To prevent important updates from being buried in the other comments, we’ve requested that this thread be locked.

Our team is actively investigating this, and an update will be posted as soon as one is available.

If you have new information that can help, please contact us at WooCommerce.com > My Account > Support. You may need to create an account before you can access that page.

If the information pertains to a WooCommerce vulnerability you’ve identified please report it via the HackerOne portal so it can be responsibly disclosed.

For tracking purposes, please link to this forum thread.

Internal tracking ID: p3btAN-1j5-p2

See https://developer.woocommerce.com/2020/11/05/woocommerce-4-6-2-fix-release/

The problem is acknowledged and a fix is available.