Someone commented on a non-existing post

  • Hello WordPress community!

    Recently I was notified about someone commenting on a post. In general we do not enable commenting on posts. But what is very strange about the comment is the corresponding post stated by wordpress: it simply does not exist.

    So in the backend there is this comment displayed in the comment menu, waiting for approval. WordPress also states on which page the comment has been submitted and links the page. But the page does not exist; when I click on the link it results in an error 404.

    The stated URL contains the name of one of the main menu points.

    Presumably the comment has been submitted by a robot sending some packets, as it is pure spam/advertisement and we do not offer commenting on our pages; especially on pages that do not exist.

    Should this be possible? And how could this have been achieved?

    I am still using WordPress 5.5.3 and will update asap if this specific version is not needed to reproduce/fix this issue.

    Thank you for any help in advance!

    • This topic was modified 3 years, 3 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator James Huff

    (@macmanx)

    5.5.3 is a bit older than we can support here.

    It would be better if you were on 5.8.2, but if you must remain on the 5.5.x branch, please at least upgrade to 5.5.7, which includes several bug and security fixes over 5.5.3.

    Thread Starter orca26

    (@orca26)

    Alright, I understand that.

    But I wonder if anyone has an idea how it could have been possible to leave a comment without using a comment form?

    Is/Was there a way to comment using wp-comments-post.php (or another API) so that it registers receiving a comment without checking if the post exists?

    I could not find any exploits regarding the commenting function within the latest changes. Is there a way to check if the site has been compromised while achieving this strange behaviour?

    Thank you very much for any thoughts on that!

    Moderator James Huff

    (@macmanx)

    If it wasn’t a trackback or pingback, and the comment form wasn’t available, it could have been a compromise.

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    And, absolutely at least update to 5.5.7. 5.5.7 includes the same security fixes as up to 5.8.2, you can compare the release dates here: https://www.ads-software.com/download/releases/

    As WordPress is open source software, once a security fix is applied, it becomes public knowledge.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Someone commented on a non-existing post’ is closed to new replies.