Trigger reCAPTCHA for PayPal integration

  • Resolved Clayton R

    (@mrclayton)


    2 months, 4 weeks ago

    Hi @talextech,

    A merchant using our plugin, Payment Plugins for PayPal WooCommerce, created a support ticket a few days ago asking for reCAPTCHA verification when the PayPal button is clicked. https://ww.wp.xz.cn/support/topic/user-can-go-to-payment-process-without-google-recaptcha-verification-on-checkout/

    However, reCAPTCHA is still performed by your plugin since it hooks into the checkout form submit event. It seems this user wants the verification to take place at button click rather than at form submit but in my review of things, that doesn’t add any additional security. After the customer has completed their PayPal login and intent to purchase, the popup closes and the checkout form is submitted. At that time, your plugin would call wpcaptcha_captcha and then verification would take place in woocommerce_checkout_process.

    Do you see any security benefit in actually triggering reCAPTCHA before the form is submitted?

    Kind Regards

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Alexandru Tapuleasa

    (@talextech)

    2 months, 4 weeks ago

    The way I understood it (probably because we were already working to add this) was that if the order was sent and payment failed, the payment page could be accessed directly to reattempt payment and that page was not getting protected by captcha which would create a hole for card testers to abuse.

    But in the case of PayPal I don’t think that applies anyway since it’s a different payment process and they have their own abuse protections.

    However if your plugin were to allow processing card payments in a popup before the order was submitted then I guess that would need a captcha to discourage card testing.

    Thread Starter Clayton R

    (@mrclayton)

    2 months, 3 weeks ago

    Hi @talextech

    Thank you for your response.

    However if your plugin were to allow processing card payments in a popup before the order was submitted then I guess that would need a captcha to discourage card testing

    No, card processing in a popup is not possible. For all payment methods implemented in the PayPal plugin, the checkout page form is submitted.

    I think the biggest misconception by users is they think payment is taking place when the PayPal popup opens. But the payment isn’t processed until the checkout form is submitted and all server side validations pass. I can see your plugin uses the action woocommerce_checkout_process to verify that reCAPTCHA has been triggered so payment is impossible unless reCAPTCHA succeeds.

    Kind Regards,

    Plugin Author Alexandru Tapuleasa

    (@talextech)

    2 months, 3 weeks ago

    Thanks for the clarification, I didn’t know the exact process either but I assumed it must be some token that only triggers payment once order is placed, otherwise it would make no sense as customer could change cart contents before they Place the Order.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.