Possible security hole in Accept Stripe Payments for WordPress

Hi, thank you for reaching out to us. I have submitted a message to the developers to investigate your issue.

Kind regards.

Hi, Sorry to hear that you had this spam bot attack issue. Please enable the following captcha feature which will solve this for good:

https://s-plugins.com/stripe-payments-recaptcha-addon/

Let us know how you go after you enable the captcha feature.

The same has happened to me. A couple of months ago I noticed this happening and as the site only sells products later in the year I unpublished the page. It stopped the fraudulent payment attempts. Then last week it started again even though the form was not accessible on the site. So with captcha or not it makes no difference. I had to deactivate the plugin.

OK, I have enabled the invisible reCAPTCHA with my API keys.

Still, my question would be: How is it possible that those scammers can create $0,50 and even $0,00 payments to our Stripe account with their stolen cards even though we don’t have any product with that price?! (the lowest one is a lot higher).

How can that even be possible?

Don’t do the invisible captcha. Instead do the “checkbox” one which Stripe recommends. Stripe explains why this happens on their site here:
https://stripe.com/docs/card-testing

The above page has a lot of information related to this topic that will answer most of your questions.

Please note that the “Invisible” captcha option doesn’t provide the maximum protection. So if your site is experiencing the card testing issue, use the “I am not a robot” checkbox captcha option.

As an alternative, you can try the hcaptcha option for your site to see if that works better than reCAPTCHA for your site:
https://s-plugins.com/stripe-payments-hcaptcha-integration/

We also experienced the same issue today. Hundreds of transactions, most declined but some have gone through which I’ve now refunded. The transactions were definitely processed via the plugin as I received an email notification for each failed transaction coming from the WordPress plugin.

As reported by @omolano, somehow they were able to vary the payment amount and currency for each transaction (we use AUD, these transactions were all in USD).

I’ve disabled the plugin and revoked the Stripe API keys as our particular application is no longer being promoted so it’s not worth my while to fix it.

For the record we were using the latest version of the plugin and Google’s invisible Recaptcha was enabled.

Sorry to hear that you had this attack on your site. The “invisible captcha” option sometimes doesn’t work against this type of card testing. This is pointed out by stripe here:
https://stripe.com/docs/card-testing

If you want to use the plugin in the future, use the “I am not a robot” captcha option. We have some explanation of it on the captcha configuration documentation here:
https://s-plugins.com/stripe-payments-recaptcha-addon/

Hello @mra13. I followed your recommendation and I switched to the checkbox chaptcha, but I’m still receiving tons of purchases, so that doesn’t seem to work. Also, the purchases have prices that I never configured into the “Accept Stripe Payments” plugin. How can they set prices different to what is configured in the plugin?

@omolano, After doing the first transaction (taking authorization from Stripe API), they don’t use the plugin anymore. They send the request directly from their server to Stripe’s API. Stripe has some tips on what security related options you can tighten in your Stripe account to help with this:
https://stripe.com/docs/card-testing#how-card-testing-works

Are you using the authorize and capture feature in any of the product by any chance?

Different bad actors will do things slightly differently. So it needs a bit of investigation and then I can advise on the setup to tighten things. Please contact us using our contact form on the following page so we can do more investigation to see what is happening on this site:

https://support.tipsandtricks-hq.com/contact

Please Mention this post in the contact form so it gets marked for me.

@omolano, Just a quick follow up. If you are still having the issue please use the contact form to get in touch.

I have reported this 6 months ago. Seems to continue.
I love this plugin, but can’t use….
In my case, I just got few charge attempts from hackers, all seem manual.

If there is a 100% safe way of using this plugin, would love to get it back online.
Thanks !

Having this same issue. It’s definitely the plugin. Spoke to Stripe. I had 4,000 fraudulent card testing orders go through this plugin in one night. I “made” thousands of dollars in charges that were fraud. Now I’m on the hook for refund fees, chargebacks, and disputes. I’m out a ton of money and time. And my shop’s reputation is trashed.

This has happened multiple times over the last few months, but no actual charges ever went through until last night. Usually they were all blocked. But this time, I actually got hundreds of completed orders and money into my account that I now have to deal with and pay for.

Stripe confirmed it was my integration with this plugin. The second I disabled the plugin, the emails and fraud orders stopped.

This is a HUGE PROBLEM.

This can happen if the captcha v2 option is not enabled. This is explained in the following documentation:
https://s-plugins.com/stripe-payments-recaptcha-addon/

You won’t have any issue with Stripe if you explain to them that you were attacked by card testing.
https://stripe.com/docs/card-testing

I posted in an earlier post about contacting us so we can check more details to make sure which version of the plugin you were using and your captcha setup (if you were using any) but to date no one has contacted.

Hi, please check the latest version. There is a notice to enable captcha feature (if it is not already enabled). This should prevent this issue from occurring again.

Thank you.