Support » Plugin: Accept Stripe Payments » High volume of ajax requests

  • We’re being told by WPEngine that this Stripe Payments plugin is generating a high volume of ajax requests, and as a result, our site has been moved off a production server and onto a temporary host until it is resolved. Notes below are from the WPEngine techs:

    “Monitoring the ajax calls being made on the site, the action I see being rapidly repeated is asp_pp_req_token.”

    wp-content/plugins/stripe-payments/includes/class-asp-pp-handler.php

    31:     add_action( 'wp_ajax_asp_pp_req_token', array( $this, 'handle_request_token' ) );
    32:     add_action( 'wp_ajax_nopriv_asp_pp_req_token', array( $this, 'handle_request_token' ) );

    wp-content/plugins/stripe-payments/public/assets/js/pp-handler.js

    843: var reqStr = 'action=asp_pp_req_token&amount=' + vars.data.amount + '&curr=' + vars.data.currency + '&product_id=' + vars.data.product_id;

    “We ask that this function be looked into since it appears to be causing a high amount of uncached requests to be generated on the site.”

    Has anyone seen anything like this? Appreciate any help that can be offered.

    Thank you.

    • This topic was modified 3 months, 2 weeks ago by apgold23.
Viewing 10 replies - 1 through 10 (of 10 total)
  • Plugin Support mbrsolution

    (@mbrsolution)

    I have submitted a message to the developers to investigate further your findings.

    Thank you

    Plugin Author mra13

    (@mra13)

    Do you have the captcha option enabled by any chance?
    https://s-plugins.com/stripe-payments-recaptcha-addon/

    Thread Starter apgold23

    (@apgold23)

    Thank you @mbrsolution.

    @mra13 – No, reCAPTCHA is not enabled.

    Plugin Author mra13

    (@mra13)

    Please enable the captca option then check it again.

    Thread Starter apgold23

    (@apgold23)

    Thank you for the suggestion. Unfortunately enabling recaptcha didn’t help. Here is the latest from WPEngine (after 24 hours with recaptcha enabled):

    AGENT (Lindsey C): Monitoring the ajax calls being made on the site, the action I see being rapidly repeated is asp_pp_req_token which looks to be referenced in the stripe-payments plugin. The exact lines of code would be:

    wp-content/plugins/stripe-payments/includes/class-asp-pp-handler.php

    31:     add_action( 'wp_ajax_asp_pp_req_token', array( $this, 'handle_request_token' ) );
    32:     add_action( 'wp_ajax_nopriv_asp_pp_req_token', array( $this, 'handle_request_token' ) );

    wp-content/plugins/stripe-payments/public/assets/js/pp-handler.js
    843: var reqStr = 'action=asp_pp_req_token&amount=' + vars.data.amount + '&curr=' + vars.data.currency + '&product_id=' + vars.data.product_id;

    Plugin Contributor Alexander C.

    (@alexanderfoxc)

    Hi.

    Can you ask the support to provide exact URLs that are being requested? You can edit out your website if you don’t want to disclose it. What I need is something like this: https://example.com/?action=asp_pp_req_token&amount=xx&curr=xxx&product_id=xxx

    Plugin Contributor Alexander C.

    (@alexanderfoxc)

    Also, it seems that we won’t be able to prevent those requests from being made, as those aren’t made by us or our plugin. This is done by someone who is trying to test stolen credit cards via your website by making the requests to our plugin’s API. Enabling reCaptcha is a good thing as it prevents the actual testing. But we cannot prevent the requests anyway.

    You need to communicate this information to your hosting provider. They should be able to detect this malicious traffic and block it automatically.

    Thread Starter apgold23

    (@apgold23)

    Ty @alexanderfoxc! We’re working with WPEngine to get the details. They said they need to dig into the logs to identify any offending IP addresses or user agents that might be the cause.

    Plugin Contributor Alexander C.

    (@alexanderfoxc)

    New plugin version (2.0.38) has additional measures implemented to prevent card testing attempts. We also renamed asp_pp_req_token action, so there should be no code executed by our plugin when someone tries to trigger the action. This won’t prevent them from accessing the URL itself though.

    Thread Starter apgold23

    (@apgold23)

    Thank you. Plugin updated. We’ll let you know what we hear back.

Viewing 10 replies - 1 through 10 (of 10 total)
  • You must be logged in to reply to this topic.