Woocommerce Payment plugin causing malware on my site

  • Resolved vasantib

    (@vasantib)


    3 years, 4 months ago

    Hi,
    I recently installed WooCommerce and all its supporting plugins through Woocommerce website directly and completed the set up only to find malware to be detected on my site 2 days after. A few of my website visitors reported the malware on their end as well!
    I have Sitelock protection and they scanned the files and let me know that the malware is due to Woocommerce Payments plugin that needs to be updated. However, when I check, that plugin is up to date on my site and no update is available. Sitelock tried to clean but they are unable to detect or replicate the malware site.
    In the meantime, my phone seems to be compromised and the malware site continues to appear even after clearing browser case and history for multiple browsers.
    Ultimately I deactivated the plugin and the malware site has stopped from appearing.
    However, I do need to set up Woocommerce on my website to sell products and am unable to do it due to the malware. Could someone please help in figuring this out.

    Thanks,
    Vasanti

    The page I need help with: [log in to see the link]

Viewing 5 replies - 1 through 5 (of 5 total)
  • Mirko P.

    (@rainfallnixfig)

    Hi @vasantib,

    Most likely this is a false positive since WooCommerce Core and WooCommerce Payments do not have any malware in the code. However, you can uninstall the plugins and reinstall them again.

    I’ve checked on Sucuri and it did not find any malware on your site: https://sitecheck.sucuri.net/results/https/signatureconcoctions.com


    Link to image: https://i.imgur.com/hWXls2v.png

    I would recommend reaching out to SiteLock’s help center and let them check this thoroughly.

    Thanks.

    Thread Starter vasantib

    (@vasantib)

    Hi Mirko,
    Thanks so much for your quick response and also for double checking everything on my site. Could it be that because I have deactivated the WooCommerce Payments plugin on the backend that the Sucuri scan didn’t find the malware? Just curious?
    I tested on my end by deactivating all WooCommerce plugins and the reactivating them all and the malware site showed up but then when I deactivated only the Woocommerce Payments plugin, the malware site did not take over my website.
    Kindly lmk your thoughts.

    Thanks!

    Plugin Support Abhi G. a11n

    (@theabhig)

    Hi @vasantib

    Thanks for sharing the additional information.

    We haven’t seen any reports of malware being linked to WooCommerce Payments and neither WooCommerce nor WooCommerce Payments have malware in their code.

    When you say:

    when I deactivated only the Woocommerce Payments plugin, the malware site did not take over my website.

    could you let me know what you mean by “taking over your site” please?

    For example, what are you seeing or what is happening when you have WooCommerce Payments activated?

    Your hosting company may also be able to confirm where in your site’s files any malware or malicious code is saved so that may also be able to provide further guidance.

    We will be standing by for your response.

    Thanks!

    Thread Starter vasantib

    (@vasantib)

    Hi Abhi,
    Sorry for a late reply!
    By “taking over my site” I meant that when you went to my site https://www.signatureconcoctions.com, within a few seconds the malware sites with a popup message would replace my website in the browser and you couldn’t go back or do anything other than close the browser window.

    But when I deactivated the WooCommerce Plugin, the malware sites did not appear.

    I just double checked and it looks like the WooCommerce Payments plugin had an update this morning. I updated the plugin and reactivated it. It seems to be working fine now! So there was definitely an issue with that one plugin as identified by the sitelock team.

    I’ll make this issue as resolved now, especially since the plugin update from this morning seems to have fixed it.

    Thank you for your time!

    Thread Starter vasantib

    (@vasantib)

    Looks like the vulnerability was caught afterall!
    Just received this email:

    Action required: Critical vulnerability in WooCommerce
Inbox

WooCommerce <[email protected]> Unsubscribe
4:38 PM 
to me

HERE'S WHAT TO DO TO SECURE YOUR STORE /
WooCommerce logo.
Hi there,

We’re reaching out to let you know that a critical vulnerability was identified in WooCommerce (versions 3.3 to 5.5) and the WooCommerce Blocks feature plugin (versions 2.5 to 5.5).

What actions should I take with my store?
Stores hosted on WordPress.com and WordPress VIP have already been secured. We are working with the www.remarpro.com Plugin Team to automatically update as many stores as possible to secure versions of WooCommerce. We also urge you, however, to take the following added precautions to safeguard your site:

Update your copy of WooCommerce to the latest version (5.5.1) or the highest number possible in your release branch.
If you are running the WooCommerce Blocks feature plugin, you’ll need to update it to the latest version (5.5.1).
What does this mean for my store?
Our investigation into this vulnerability is ongoing, but we wanted to let you know now about the importance of updating immediately.

We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.

What can I expect from WooCommerce in the future?
Our intention is always to respond immediately and operate with complete transparency. Since we discovered this vulnerability yesterday, the WooCommerce team has worked around the clock to investigate the issue, audit all related codebases, and release a patch for every impacted version (90+ releases).

If you have any other questions, we're here to help – reply to this email.

WooCommerce cart logo avatar.
Thanks for reading,
The Woo Team

This is not a marketing email. You're receiving this communication because you use (or have used) WooCommerce and WooCommerce Blocks.

No longer wish to receive emails around this subject? Update your profile or unsubscribe.

Please note: If you unsubscribe, you will continue to receive WooCommerce.com account-related emails.

View an online version of this email.

WooCommerce, Inc. is located at 60 29th St #343,
San Francisco, CA 94110, U.S.A.

Facebook icon.		Instagram icon.		Twitter icon.
App Store button.		Google Play button.
? 2021 WooCommerce, Inc. – an Automattic company

Automattic logo.
Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Woocommerce Payment plugin causing malware on my site’ is closed to new replies.