Possible exploit

Just a heads-up for other users of this plugin and the developers.

In my Google Analytics reports, I’d recently noticed lots (thousands) of requests to URLs with these three sets of odd parameters:
/products/product-name/????/user-new.php=
/products/product-name/????/plugins.php=
/products/product-name/????/theme-editor.php=

On further investigation, the page for the product-name in question never completely loaded. On stopping the load, Chrome was asking if I wanted to save a password for a user named woosales_wordpress@gmails.com.

Also, during my investigations, I did on occasion receive “429 Too Many Requests” errors from Apache.

I noticed the three products in question had been added to a newly created demo PPOM category and then that two additional Administrator WP accounts had been created. This new PPOM category was running an external JavaScript file. Unfortunately, I no longer have the URL as I just cleaned it out.

I removed the Administrators and the PPOM groups and updated from 18.4 to 18.6, which has hopefully resolved the exploit although I’ve not read the release notes. I’ll be keeping a close eye for similar activity over the coming weeks.

If the developers are unaware of this they may want to look into it.