Exploit observed: Spam comments in mod qeue with comments disabled
Hi, I don't know where else to submit this.
With comments disabled on product pages, we have received three "spam" comments. I have reviewed the source of the product pages the spam was "submitted" from, and no form submit code for comments is included on those pages (which is correct per comments being disabled). Our child theme "hides" some default Product page content items, but a comment form is not among them.
The presence of these comments in our moderation qeue, and the origin & timing of the attempted posts, indicates an exploit against WooCommerce. In our case no harm was done and we do not believe this is a security concern for us, but you might want to look into it.
A screen shot of the moderation qeue can be found here:
Casual inspection identifies the three comments as routine spam most likely originating from a botnet. But it should never have reached our database, as comments are disabled and there is no comment form present on any of the Product pages.
Our URL: http://docsolomons.com
Running: Wordpress 4.5.3, Slocum Simple Shop 1.1.2, WooCommerce 2.6.1
On: LAMP stack maintained on Ubuntu Server by our hosting provider, Pair Networks.
Our child theme includes no PHP of our own except for some HTML echoed to add custom content to the header (social buttons that fit our layout).
Ideally, the best place to report this would be at the WordPress.org forums for WooCommerce, here: http://wordpress.org/plugins/woocommerce/.
If you feel you’ve found a security issue in future, please do report these to http://automattic.com/security/.
In this instance, it looks like you’re receiving spam comments (Product Reviews in WooCommerce are stored as comments on the product).
There’s a great few tips here ( https://wordpress.org/support/topic/getting-spam-despite-no-comment-interface-in-loop-how?replies=5 ) regarding remedying this.
Thanks and regards,