Hello @directino
But still someone managed to hack the plugin…
I would avoid bold statements about the security gaps until they are actually confirmed by legitimate source.
Just for you to know, the plugin does not handle iDEAL payments directly. Instead, it displays all the APM gateway (inc. iDEAL) in an iframe, with the content hosted and totally controled on PayPal’s side. If there were any security gaps, they would be directly on PayPal’s side, not on the plugin’s side. If you’re unsure about the legitimacy of this payment method, it’s best to report your concerns directly to PayPal.
We got a signal from a client that made an order and did not receive a confirmation. There was no incoming payment in the our PayPal account or in the Woocommerce order menu.
If no order was created in WooCommerce and the payment wasn’t captured, it may be due to improperly registered or received webhooks or the buyer not completing the checkout process correctly. If the plugin doesn’t capture the payment within three hours, PayPal typically issues an automatic refund. It should appear in the buyer’s account within a few days, as SEPA transactions usually take a day to process.
Alternatively, any alternative payment method can be disabled, e.g. via the Disable Alternative Payment Methods setting in the Standard Payments tab.
this domain r3.girogate.de. Then a payment would be send to a german bank account with our sites name that we do NOT own.
r3.girogate.de is a subdomain of girogate.de (source: https://securitytrails.com/list/apex_domain/girogate.de)
API endpoint URL: https://api.girogate.de is legitimate output from iDEAL/Bancontact (source: https://developerhub.ppro.com/simple-api/docs/bancontact-wip)
Just updated to 2.8.0 again and the problem seems solved for now. But still someone managed to hack the plugin…
Could you provide the steps to reproduce the issue in the previous version, which doesn’tt occur in the latest version?
Looking forward to hearing from you.
Kind regards,
Krystian
