Login

Tag Archives: WooCommerce Fraud Prevention Plugin

Plugin Security Scorecard Grade for WooCommerce Fraud Prevention Plugin

Checked on August 27, 2024
C+

See issues causing the plugin to get less than A+ grade

29 Nov 2022

WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?

Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce. [Read more]

10 Nov 2022

WooCommerce Fraud Prevention Plugin’s Functionality Can Be Disabled by Anyone Logged in to WordPress

With the security of WordPress plugins, those that extend the functionality of the ecommerce plugin WooCommerce would seem like they would be more secure than the average plugin, seeing as security should be important for software on websites handling money and customer data. But that continues to not be the case. Earlier this week the WP Tavern, which is barely disclosed to be owned by the head of the owner of WooCommerce, Matt Mullenweg, covered problems WooCommerce based websites are having with fraudulent charges through the Stripe payment service from those testing stole credit card numbers. The story mentioned one partial solution for that issue:

Many other developers in the conversation have been hit with similar attacks, some with honeypots in place that didn’t prevent anything. One recommended using the WooCommerce Fraud Prevention plugin. It allows store owners to block orders from specific IP addresses, emails, address, state, and zip codes. This might help once attacks have started but doesn’t fully prevent them. [Read more]

10 Nov 2022

Authenticated Settings Reset Vulnerability in WooCommerce Fraud Prevention Plugin

As detailed in a separate post, we took a look at the WordPress plugin WooCommerce Fraud Prevention Plugin after seeing it mentioned in a news story. We found it is insecure and that the security leads to at least one vulnerability, as anyone logged in to WordPress can reset the plugins settings.

The plugin registers the function wcblu_reset_settings() to be accessible through WordPress’ AJAX functionality to anyone logged in to WordPress: [Read more]