Get ready for the spam

  • Boston Tom

    (@tneveu)


    2 months ago

    After installing this plugin, within days I was hit by PayPal phishing emails, fake invoices, spam, junk email, etc… despite using an email spam filter on the server. I dutifully forwarded all phishing emails to PayPal’s spoof@paypal.com email address.

    I couldn’t understand why there was such an uptick in fake invoices, scams, and assorted junk.

    Then I clicked on the Donate Now button. Right there for the world to see was my email address, shown in a pop-up window—no visit to PayPal’s website necessary. It didn’t dawn on me when I first installed it that if I could see my email, then so could the world.

    So I went into the “Donate via PayPal” settings and changed it to Merchant ID. I’m not a merchant or business; I run a free website that accepts donations. I grabbed the Merchant ID anyway from my PayPal account settings and swapped out my email address for this ID to see if it hid my email.

    Instead, when you click the Donate button my full name shows up! What is wrong with this plugin and privacy? It literally is sharing your email address to the entire world with no encryption or even bothering trying to hide it.

    I then looked at my site’s source code. Right there for the world to see was my email address, unencoded, waiting to be scraped by scammers, schemers, fraudsters, and Nigerian princes. My friggin’ contact form hides my email address. So great job on exposing my addy to the world and greatly increasing my spam, phishing emails, and frustration.

    PS: I don’t care if they see my email once they get to the Paypal website as most scammers are automated, but to show it in a pop-up window without ever leaving the site and having it embedded in the source code is beyond irresponsible. The author needs to fix this.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support mbrsolution

    (@mbrsolution)

    2 months ago

    Thank you @tneveu, for your 2 star review. We appreciate this.

    In regards to the spam and email issue, I have this plugin running in my site and only my name is revealed and no email. I have a business account by the way. I also carried out a test in my dev site and no email was showing up on the popup window after I clicked on the Donate button.

    I suspect another plugin in your site might be conflicting with our plugin or a setting on your PayPal account. If you would like us to help you troubleshoot this further, please create a support thread using the link below. This section is only for reviews.

    https://wordpress.org/support/plugin/paypal-donations/

    Kind regards.

    Thread Starter Boston Tom

    (@tneveu)

    2 months ago

    Apparently, you didn’t read my review.

    I wrote: “I’m not a merchant or business; I run a free website that accepts donations.

    So I have no business name to use, only my email address. If I use the Merchant ID under my settings in PayPal, it shows my full name instead (also in the review). And my email is in source code on every page as the donate button is in the sidebar (duh).

    Go ahead and use your email address instead of your “secure merchant account ID” and see what happens. Maybe it doesn’t show because you have a business PayPal account; I don’t know, as I don’t have one. Next time, read what I wrote. I can attach screenshots showing you my embedded email in every page’s source code for the Donate Via Paypal and the pop-up window.

    Your plugin has literally put me on every spammer list on the planet so thanks for that! Not.

    Plugin Author mra13 / Team Tips and Tricks HQ

    (@mra13)

    2 months ago

    Just adding some additional context here. This plugin uses the standard PayPal donations button code. PayPal’s recommended approach to avoid exposing your email address is to use the Merchant ID associated with your PayPal account.

    However, I completely understand that this doesn’t help in your specific case since you’re using a Personal PayPal account, which doesn’t offer a Merchant ID. Unfortunately, PayPal does not provide robust website payment integration options for personal accounts — this is a limitation from PayPal itself, not something specific to this plugin.

    You’re of course welcome to try other plugins to see if they better suit your needs, but with a personal PayPal account, you’re likely to encounter similar limitations across most solutions.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this review.