Recently there seems to have been a surge in spam WooCommerce orders. They all seem to follow a similar pattern of:
bbbbb bbbbb
bbbbb
74 Eastbourne Rd
ROBOROUGH
EX14 5HN
They seem to use a random fake email address from the domain abbuzz.com
This seems to be a widespread issue, with a huge (now locked) thread on .org: https://wordpress.org/support/topic/failed-orders-fake-information/
In this thread, users have identified that it appears to be a bot looking for some specific vulnerabilities in the following plugins:
- Loginizer
- Drag and Drop multiple file upload for Contact Form 7
- Super Store Finder
- Super Interactive Maps
- Super Logo Showcase
- WP File Manager
It also attempts to upgrade the WordPress database. If you have any of the above plugins, we’d suggest updating or removing them immediately. It’s also a good opportunity to make sure all other plugins, themes and core WordPress is up to date as well as having a good backup routine in place.
The bot also creates a series of usernames, it’s probably best to delete these as well as the spam orders.
How can we fight this?
A huge amount isn’t yet known about this attack, but a simple plugin has been made to stop these orders:
The plugin is quite basic in that it’s using a simple filter to block the known used name and email address domain from registration. Whilst this seems like a good short-term solution, we hope that the WooCommerce team will step up to provide a better long-term solution for this.
Update:
The WooCommerce team released 4.6.2 which has the following in the change log:
” allows anonymous users to create an account during checkout even when the “Allow customers to create an account during checkout” setting is disabled.”
This does however rely on the setting “Allow customers to create an account during checkout” to be disabled, which isn’t going to be possible for every store.
Have you been affected by this? Let us know in the comments.