Blocking Malicious /cart?remove_item= Requests

Resolved shimist
(@shimist)

5 months, 2 weeks ago
Hi,

My WooCommerce site is receiving thousands of malicious requests like:
```
/cart?remove_item=684027dbc37ac8c5f78fb2c16d781f25
/cart?remove_item=random_32_char_string
```
- Come from datacenter IPs
- Have no woocommerce_cart_hash cookie
- Are likely automated bot attacks scanning for vulnerabilities
- Cause high CPU usage on the server
Questions for the community:
1. Is there a known vulnerability being exploited here?
2. What’s the recommended way to secure /cart?remove_item= endpoints?
3. Should WooCommerce validate remove_item requests differently?
4. Are there built-in security features I’m missing?
5. How can I distinguish between legitimate AJAX calls and bot attacks?

Viewing 4 replies - 1 through 4 (of 4 total)

Plugin Support shahzeen(woo-hc)
(@shahzeenfarooq)

5 months, 2 weeks ago
Hi there

Thank you for sharing these details it sounds like your site is experiencing automated bot attacks targeting the /cart?remove_item= endpoint. This is a known type of behavior where bots attempt to manipulate cart sessions, often looking for vulnerabilities, but it is not a vulnerability in WooCommerce itself.
1. WooCommerce Validation
  - WooCommerce already performs server-side validation for cart actions, including remove_item.
  - Requests without a valid cart session (woocommerce_cart_hash cookie) are ignored and will not modify your cart.
2. Securing /cart?remove_item= requests
  - Ensure your site is using the latest WooCommerce version. Security patches and nonce checks are built in for cart actions.
  - Use security/firewall plugins (e.g., Wordfence, Sucuri) or server-level firewall rules to block suspicious IP ranges, particularly from datacenter or cloud provider IPs.
  - Consider limiting access to /wp-admin/admin-ajax.php if possible, since AJAX requests are the usual attack vector.
3. Distinguishing legitimate vs. bot requests
  - Legitimate AJAX cart requests include cookies like woocommerce_cart_hash and wp_woocommerce_session_….
  - Requests without these cookies, coming in large numbers from datacenter IPs, are almost always bots.
4. Additional measures
  - Enable reCAPTCHA on checkout/login forms.
  - Monitor server logs to identify IPs generating repeated malicious requests and block them.
  - Use caching or rate-limiting plugins to reduce CPU load from repeated attacks
I hope this helps.
Thread Starter shimist
(@shimist)

5 months, 2 weeks ago

@shahzeenfarooq Thank you for your explanation. All requests are cookieless and from data centers
I have to block them too
I also consider IP ranges
But the number is large and the IP is variable.
Plugin Support shahzeen(woo-hc)
(@shahzeenfarooq)

5 months, 2 weeks ago
Hi there!

Thank you for the clarification.

Since these requests are coming from a large and variable range of data center IPs, it can be difficult to block them effectively at the application level. A more reliable approach is to implement server-level or hosting/CDN protections.

We recommend reaching out to your hosting provider to see if they can help you:
- Block or challenge bot traffic targeting /cart?remove_item=
- Apply rate-limiting for cookieless requests
Alternatively, I recommend you take a look at this guide and take steps to try to block bots by editing .htaccess file instead: https://www.seoblog.com/block-bots-spiders-htaccess/.

I hope this helps.
Plugin Support thelmachido a11n
(@thelmachido)

4 months, 3 weeks ago

It’s been a while since we heard back from you for this reason we are closing this thread.

If WooCommerce has been useful for your store and you appreciate the support you’ve received, we’d truly appreciate it if you could leave us a quick review here:

https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/#new-post

Feel free to open a new forum topic if you run into any other problem.

Viewing 4 replies - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.