Problem with repeated fake orders with the PayPal Woocommerce Plugin

Go to solution
TS2188
Contributor
Contributor
Posted on
‎Nov-28-2024 08:43 AM

Using WooCommerce PayPal Payments - had a problem with repeated fake orders exploiting a vulnerability with the PayPal button. Added a captcha to the checkout which prevents the bots placing orders through Apple Pay and Google Pay (via Paypal). However, the Paypal button itself can be clicked even if the Captcha has been ignored, so the Paypal button is vulnerable and we can't prevent spam orders. The orders are spaced about 15 minutes apart, for the cheapest items in our store. From multiple IPs: 1[Removed. Phone #s not permitted] [removed] IPs are from all over. Germany, UK, Hong Kong, etc We've had to disable Paypal on all our sites until we can find a solution. Seems to be an issue with the Plugin but who do we contact to fix it?

https://woocommerce.com/document/woocommerce-paypal-payments/#get-help directed us to Paypal.

 

Thanks, hope someone can help 🙂

Login to Me Too
Login to Reply or Kudo
32 REPLIES 32

Go to solution
spoonofmilk
Member
Member
‎Dec-10-2024 08:40 AM

Same as Ruth, our client has now reported the same issue - refund request from PayPal, but not sure what to do. I've suggested they contact PayPal directly, but subscribing to this thread to see if anyone has more info on the exact outcome of the situation!

Login to Me Too
Login to Reply or Kudo

Go to solution
TS2188
Contributor
Contributor
‎Dec-11-2024 02:38 AM

No further problems since we disabled Advanced Card Processing. We are still taking payments through Paypal itself, plus Apple Pay and Google Pay (through Paypal) no problems.

Login to Me Too
Login to Reply or Kudo

Go to solution
teehwhy
Contributor
Contributor
‎Dec-11-2024 03:02 AM

The Solution is to turn off auto update for the Woocommerce Paypal plugin and change the code in this directory. 

\woocommerce-paypal-payments\modules\ppcp-button\src\Endpoint\CreateOrderEndpoint.php ... at the beginning of this function

 

   private function create_paypal_order( \WC_Order $wc_order = null, string $payment_method = '', array $data = array() ) : Order {

       // Check origin source from session


if (!isset($_COOKIE['sbjs_first'])) {
      throw new RuntimeException(
        __('Order creation failed: Origin source is required.', 'woocommerce-paypal-payments')
    );

}
    assert( $this->purchase_unit instanceof PurchaseUnit );

 

 


 Note: this is a temporary fix. You can check other cookies that relate to the origin source to harden the condition.

Login to Me Too
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.