Failed Orders

willf
(@willf)

7 months, 3 weeks ago

So I have commented on a few threads here but the moderator would like me to make yet ANOTHER thread about the same issue!

So to re-cap as I am sure the developer is aware, a botnet is targeting WC shops using the WooCommerce PayPal Payments plugin. They sort products in the shop by low-to high and select the first item (hiding it just makes them select the next item). On my site which only sells to the UK they are selecting a random postcode from the Fetchify plugin (previously Crafty Clicks) and the inserting a random road name along with a random name, email and phone number. IP addresses are always different.

So far no payments have gone through, not sure if they are testing card numbers or Paypal email addresses but not the emails on the order as they are totally randomised.

Tried installing reCaptcha but it doesn’t stop them so it looks like they have found a backdoor in. Only way to stop them is turning off Paypal Payments. I still had Paypal Standard installed which even though no longer supported still works and doesn’t seem to be affected.

Just installed the latest update 3.1.1 but no difference but thanks for the annoying PAY LATER banners on the checkout even when disabled!

Viewing 10 replies - 1 through 10 (of 10 total)

Plugin Support Krystian Syde
(@inpsydekrystian)

7 months, 3 weeks ago

Hello @willf

I suggested reaching out to us directly. Once you open a ticket with our service desk, we can provide the solution we already have for this type of activity.

Here’s how you can request support: Request Support. Please include the URL of this thread in your ticket for reference so we have the full context. Thank you in advance.

Tried installing reCaptcha but it doesn’t stop them so it looks like they have found a backdoor in

There is no ‘backdoor’ happening here. The failed orders are the result of direct calls to the standard order creation API. This API is being triggered by bots using stolen card details to mimic the behavior of real orders. There’s no vulnerable or modifiable part in this logic on the client side; the actual processing logic is handled far beyond anything exposed via JavaScript or the browser.

Failed orders may still appear when automated traffic interacts with the payment flow. These requests typically hit the endpoint used to create orders, but because ACDC (hosted fields) are not enabled, the logic fails early and returns an error along with the failed order.

Kind Regards,
Krystian

Thread Starter willf
(@willf)

7 months, 3 weeks ago

Strangely since the WordPress security update yesterday the failed orders have stopped. I couldn’t see anything in the update that related to the checkout or API etc but over 24 hours now and no failed orders, seems a coincidence??

Thread Starter willf
(@willf)

7 months, 3 weeks ago

Ignore that, just had one!

Thread Starter willf
(@willf)

6 months, 4 weeks ago

Hello @inpsydekrystian

So I have opened a support request as requested but now it’s been closed. The plugin provided just dumps failed orders in the bin but annoyingly still sends an email that bounces (affect my reputation with Mandrill) also it causes a fatal error with Table Rate postage so I have just turned Paypal off until this is resolved. Seems like a very easy solution would be to block any order attempts that have Order Attribution as Unknown Origin??

Plugin Support Krystian Syde
(@inpsydekrystian)

6 months, 4 weeks ago

Hello @willf

You can safely ignore the notification about the ticket being closed. It’s an automatic Jira process, and the case can be reopened at any time if needed. You can reopen it just by responding to it.

We’ll have a test package available on Monday that includes improved fraud prevention logic. It introduces an additional layer that filters out automated card testing attempts before they reach the checkout process, preventing unnecessary failed orders altogether.

In the meantime, to avoid bounced email issues, you can disable notifications for failed orders under WooCommerce → Settings → Emails → Failed Order. This will stop WooCommerce from sending messages generated by failed bot orders.

We’ll contact you on Monday once the test package is ready so you can verify it on your site before re-enabling PayPal.

Kind Regards,
Krystian

Thread Starter willf
(@willf)

6 months, 3 weeks ago

Ok, thanks.
Thread Starter willf
(@willf)

6 months, 2 weeks ago
Hi @inpsydekrystian

Any sign of that test package? Had an order actually go through today despite AVS etc being enabled. Looks like the AVS setup from the card issuer probably was down? Here’s the info from the back-end (I have deleted the last 4 digits of card number).

PayPal Advanced Card Processing Verification:
- Card: VISA (****)
- AVS: U: Unavailable / Address not checked, or acquirer had no response. Service not available.
- CVV:
Obviously I immediately refunded it.
Plugin Support Krystian Syde
(@inpsydekrystian)

6 months, 2 weeks ago

Hello @willf

Yes, we released it on Friday at the end of the day, the test package is included in this release candidate: https://github.com/woocommerce/woocommerce-paypal-payments/pull/3829

You can safely update to version 3.3.0-rc2, which already includes the same improvements.

After installing it, please go to: WooCommerce → Settings → Integration → WooCommerce PayPal Payments CAPTCHA
or open it directly at: wp-admin/admin.php?page=wc-settings&tab=integration&section=wppc

Refunding that transaction was the correct approach.

Kind Regards,
Krystian

Thread Starter willf
(@willf)

6 months, 2 weeks ago

Ok, should I delete the helper plugin I was given? WooCommerce PayPal Payments Failed Orders V 0.1.0

Plugin Support Krystian Syde
(@inpsydekrystian)

6 months, 2 weeks ago

Hello @willf

Yes, you can remove that helper plugin. The built-in CAPTCHA protection now takes care of the failed order prevention logic, so the additional helper is no longer needed.

Kind Regards,
Krystian

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Failed Orders’ is closed to new replies.

Tags