Support » Plugin: WP eCommerce » spam users in wp_users after wpsc upgrade

  • I found my wp_users table growing heavily with spam users since I upgraded to latest version of this plugin last week.
    Initially i thought it is because of wp upgrade to 3.8, but when I saw one of the user as ‘_wpsc_bot’ I suspected this is a sql injection thrrough wp e-commerce plugin. when I disabled the plugin all spam stopped.
    I found 80,000 users created in 4 days.
    As it is some kind of script/hack, you will not see these users in visitor log, no ip address and no email id of users. Only way is to disable the plugin.

    Fix it urgently.

Viewing 15 replies - 136 through 150 (of 178 total)
  • According to their Github repo ( 3.8.14 is past due by 3 days, so I think they should deliver the new version soon. It includes a better cleaning function that should work without checking for date and time values (see

    Screw that! They need to abandon this venture all together. They need to find a different way. Make their own table and store their session data there or something. I do not want hundreds of temporary users floating around all my sites. Additionally the potential for hours of cleanup needed are there when things do not go quite right for them on their cleanup system.


    Thank you very much…
    ~ Merlin

    Wow this is a horrible solution.

    I just spent the last three days thinking I had a hack, cleaning *everything* looking for the source, replacing all plugins, I assumed given then random timestamps that it was a bot trying different passwords at random time intervals to prevent spam triggers.

    The very least you could of done is prefixed the user accounts with wpsc_ so we knew what it was causing the issue off the bat.

    I agree with David. Further more, I *paid* for this. You should have sent out an eMail. You *have* my eMail address.


    ~ Merlin

    The users never get completely deleted and every day the amount increases. It leaves about 15 each time it runs. So I have to go in and manually delete them. I delete them in the users table and user_meta. What is a SQL I can run to delete all anonymous users and user meta older than today for last 3 hours?



    Hindsight is a lovely thing. There are a lot of would have, should have, could haves here.
    The issue has been identified and is addressed in the version about to be released. We are working night and day to resolve the 40 something issues remaining on the list before going live. We have a small team sorry for the delay in delivery. If you want to beta test or preview the version soon to be released or would like to help out with testing to get it out the door sooner you could install the plugin “wpec betatester” you can install from the wordpress plugin admin this will allow you to run the master branch currently in development and see updates each time there is a new push.

    Thank you all for your patience and understanding.

    is anyone using the beta tester plugin successfully as a fix?
    is there other issues that then need addressed by using the plugin?

    general question, looking for user feedback. ill try it in the next few days and let people know.

    i installed the beta tester, but it pulls code from git hub, which is great, i just dont know how to apply the anon user only fix.

    is the beta tester pretty stable? is it possible it has another flaw i will have to struggle with instead?

    is anyone using the beta tester??
    could you please leave some comments the people who are beta testing, that would be great.

    This shopping cart software is severely compromising the resources on my server -the database sizes have ballooned and memory and cpu use are way up on what they should be.
    I have manually deleted all the bogus users, all the bogus user_meta
    and a huge chunk of transient records that had not expired or been cleaned up

    In the last hour about 5000 new bogus users have been added to the users table and there are 82000 rows in the usermeta table
    There is nowhere near that many visitors to this site in one hour
    and there are only 17 new rows recording transients

    I am very disappointed with the lacklustre responses from the development team
    Please can we have some current information about what the development team is up to and if this is ever to be fixed?

    another 2500 users have been added in the last 15 minutes
    and the user_meta table now has 124,076 rows when it had 81,796 rows 15 minutes ago

    I think this is getting unsustainable and I will have to ask the website owner if I may turn the webshop off. They will not be happy

    update: 3 minutes later and another 800 users added -impressive work wpsc

    19,164 bogus members today in only 4 hours – surely this behaviour is not triggered by page visitors or bots
    this website does not have that much traffic
    Has any body here found how to hack this obnoxious behaviour out of the plugin?

    @pheriche I have created a script that backs up my database every hour and my entire website nightly. So I just restored the plugin from my backup to BEFORE he implemented this new “feature”. I have not updated since. I suggest you contact them and insist they supply you with the version of the plugin before it was damaged/improved. I am currently running Version Alternatively you could pay my programmer a few bucks to clean my code out of my plugin and he could give you our version of it. I would think that somewhere there is a repository of previous versions of WP Plugins. Would be nice. Like a github. Too much time has passed. You guys are starting to look very bad and unreliable. How about catering to your existing clients and help us through this nightmare.

    ~ Merlin

    thanks merlin
    I do have backups from months ago
    I may well revert to an older version of the plugin and its database tables.
    On Edit:the version you are using seems pretty old and lots of security fixes since that makes me a bit nervous
    In the medium term i am looking for another shopping cart

    @getshopped developers :28,244 bogus users created today with about 16 entries for each of these users in the users_meta table !!!

    Can someone please summarize what must be done to fix a bloated database and continue using this plugin? Or fix it and use something else?

    I visited on a friend’s site and the entire mySQL database is 3.31 GB. On examination there are 21,360,070 user_meta entries and 1,277,439 users. Options seems bloated at 287,461 records, but that could be something else.

    — Kathy

    OMG that is huge!! If any of your people need help cleaning your database feel free to reach out to me. I am sure my programmer and myself can help you with this. At the moment the only way I know of to stop the spam accounts would be to downgrade your plugin.

Viewing 15 replies - 136 through 150 (of 178 total)
  • The topic ‘spam users in wp_users after wpsc upgrade’ is closed to new replies.