Tagged: x
-
AuthorPosts
-
December 8, 2016 at 8:52 am #1286107
Tyson at RPTCParticipantHey Themeco,
So the WP Cost Estimation & Payment Addon that came with the theme has a massive, and I mean MASSIVE flaw. There is no CAPTCHA included in their form, leaving it extremely vulnerable. But the creator loopus, stated that his JS Platform and AJAX prevents it from being hit by a spam bot. Which is NOT TRUE, not in the least bit true. Why do I know this? Because last night, that same form was hit, and I woke up this morning with over 10,000 emails. I’m completely in shock right now, no idea how the spam bot was able to get past this form, where every field was required, and submitted it without filling out any fields. It completely bypassed required fields and submitted thousands of forms, THOUSANDS. Loopus said that the next update will include captcha, but what about right now? What about this crazy ass shit bombing my inbox? Take a look at the page with the form: http://realproperty.ca/fbads16/home-closings-made-safer-easier/ let me know if you guys can figure this out?
December 8, 2016 at 9:50 am #1286181
JackKeymasterHi Tyson!
Sorry to hear about this, as far as we’re aware it shouldn’t have been possible to bypass the JS and the Ajax for a spam bot, it must have been an extremely advanced bot to bypass this and get the form submitted, because of the inline JS and Ajax validation.
Can you make a private reply please with your wp-admin login details for the effected website, so we can take a closer look at this for you. Make sure you check “Set as private reply”.
Thank you!
December 8, 2016 at 9:55 am #1286188
Tyson at RPTCParticipantThis reply has been marked as private.December 8, 2016 at 12:01 pm #1286363
JackKeymasterThanks Tyson, there’s nothing on your site that should draw in bots, for example on the form there isn’t login/registration which may encourage an automatic bot that may be trying to hack that login automatically.
Here’s what I would do until the developer adds Captcha support:
Check your server logs, all bot requests should show an IP address (hopefully all of them are the same) or it should show the complete request the bot made.
If you can post back that info, I can provide some .htaccess code (if I have the complete request), which will stop the bot from accessing your server and submitting the fake requests.
Thank you!
December 8, 2016 at 2:01 pm #1286488
Tyson at RPTCParticipantTo be completely honest, I have no clue how to check my server logs. You have my login details can you take a look at that for me? I disabled the plugin, and removed it from the page, but i’m still getting flooded with spam emails.
December 8, 2016 at 2:57 pm #1286538
Tyson at RPTCParticipantI THINK I resolved the continous spam emails, because there was a plugin stopping the Google reCAPTCHA from not working on my contact form 7 forms, but now those have the reCAPTCHA on it. But unfortunately I can’t use WP Estimation & Payment forms until you guys release an update. Loopus said that your next update would come with the updated version of WP Estimation & Payment forms that have a built in captcha. Any idea when you will be releasing an update?
December 8, 2016 at 6:57 pm #1286839
RadModeratorHi there,
We can’t really say when, but it should be available through automatic updates when available.
Thanks!
-
AuthorPosts
- <script> jQuery(function($){ $("#no-reply-1286107 .bbp-template-notice, .bbp-no-topic .bbp-template-notice").removeClass('bbp-template-notice'); }); </script>
