rprentice84

We get plenty of legit orders with an unknown source origin due to cookie blocking or privacy blocking settings esp on mobile, so you could be impacting direct revenue. Thats why we cannot use a solution like that, not to mention editing the plugin directly preventing you from updating will put you out of PCI Compliance should another vulnerability come up while we wait for PayPal to update this issue.

The solution I provided above doesnt block the entire API as other solutions have provided but instead prevents the bot from grabbing the catalog as JSON response and as a result the bot process dies because it doesnt have a sku to continue. This has completely stopped the bot orders for us without impacting real customers or functionality.

I have logs that show the fraud orders bypassing PayPal Fraud filters. After hitting the JSON of the catalog and adding to cart via API it directly queries the PayPal endpoints for getting a token/client id, creating an order, and forcing an approval. See below

“POST /?wc-ajax=ppc-data-client-id HTTP/1.0” 200 1061 XXXXX “Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML like Gecko) CriOS/120.0.6099.119 Mobile/15E148 Safari/604.1”

“POST /?wc-ajax=ppc-create-order HTTP/1.0” 200 700 XXXXX “Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML like Gecko) CriOS/120.0.6099.119 Mobile/15E148 Safari/604.1”

“POST /?wc-ajax=ppc-approve-order HTTP/1.0” 200 621 XXXXX “Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML like Gecko) CriOS/120.0.6099.119 Mobile/15E148 Safari/604.1”

“POST /wp-json/wc/store/checkout HTTP/1.0” 200 3155 “

Then when I go into woocommerce, I see the order approved with an AVS response of N and CVV response of N even though we have the filters enabled to reject any CVV or AVS response of N. I sent this all to our Rep yesterday to open a ticket.

I have had the same issue, and I brought it up to our account executive at PayPal because i dont have this issue on sites I manage using other payment gateways. Investigating the logs I found this:

The bots are making use of the open REST API built into WooCommerce/WordPress to submit these orders and otherwise bypass a lot of built in checks that are part of the standard checkout process.

It starts with the bot hitting wp-json/wc/store/products in WooCommerce with filters that sort and list your cheapest products first, making it easier for them to test stolen cards. Then they start to submit POST requests to the REST API endpoint to add to cart, checkout, create order, push payment to PayPal and even seen them find a way to forcibly bypass Fraud filters within PayPal and get the payment to go through even when the filters are set to block AVS N responses (sent this to our PP rep also).

So we looked at the official wordpress documentation on restricting the REST API (https://developer.ww.wp.xz.cn/rest-api/frequently-asked-questions/#can-i-disable-the-rest-api)
While they do not recommend shutting it down completely as it can break 3rd party plugins and functionality in the admin panel, I decided to take their code for “Require Authentication for All Requests” and modified it to only require the user be logged in when hitting that initial wp-json/wc/store/products URL with the in stock and sorting filters.

I will monitor and let you know if this stops it without breaking anything. I cannot promise this use-case will work for all sites and setups. We modified the logic from the URL above with this URL check:

$api_url = $_SERVER[‘REQUEST_URI’]; //Added this to get the url the user is trying to hit

if ( ! is_user_logged_in() && str_contains($api_url,”/wp-json/wc/store/products”)) {     

I agree with Rene. The plugin team is ignoring the facts here.

As of about a week ago, custom post types stopped working on sites where it was working previously with no updates other than the most recent Jetpack update.

My site is the same. Confirmed that standard posts publish but custom post types, including WooCommerce products dont work. WooCommerce is a base e-commerce platform for WordPress, a fundamental feature, and its broken.

I know we are not ‘paid’ subscribers to your plugin, but at least provide some honest answers. Something is broken.