oalili
Forum Replies Created
-
Forum: Plugins
In reply to: [OOPVulns: Vulnerability Scanner] False positiveYes, I double-checked and it looks like the latest update fixes this issue as well.
It also seems this plugin has some inconsistent versioning too. I’m not sure why versioning scheme changed.
Please let us know if you have any other feedback.Thanks for the feedback!
We do show pricing in the section header and at the top of the dashboard, but clearly it’s not visible enough. I’ll pass this to the team to improve. Just wanted mention that many features work without a paid plan.
Sorry for the frustration!Hi Chris, thanks for the feedback.
You’re right that pricing should be clearer upfront. Just to note, our entry plan is $23/month, not $40.
Sorry for the frustration!Forum: Plugins
In reply to: [OOPVulns: Vulnerability Scanner] False positiveYou are right!
The correct WordPress plugin range is< 1.2.0. The wrong< 2.2.0came from conflicting upstream references: the CVE, SEC Consult advisory, and vendor 2.2.0 release note use2.2.0, while WordPress vulnerability sources such as WPScan and Wordfence map the affected plugin versions to< 1.2.0.
Our merge logic was choosing the wrong side of that conflict, and we fixed it.
Thanks again for reporting this, @gabriel-reguly !Forum: Plugins
In reply to: [OOPVulns: Vulnerability Scanner] False positiveThanks for letting us know!
We will look into it and get back to you with an update.
Hi @alexs4 ,
Unfortunately, there is no reliable way to hide the API key, as someone with admin access to the WordPress dashboard can still access the data.
The current options are:
1. Use the code ‘define( ‘OOPSPAM_API_KEY’, ‘YOUR_API_KEY’ )’ in your wp-config.php file to hide the API key from users.
2. Assign non-admin privileges to hide the setting.Any reliable solution would require us to implement this on our end, which is on our roadmap.
@pr-sib Thanks for testing and looking into this!
If anyone contacts us about this issue, we will inform them.
I tested with 10.5, but everyone’s environment is different. It’s possible that Woo conflicts with some of your plugins or theme. In our testing, we don’t use any third-party themes.
Regarding the tables, look for oopspam_frm_spam_entries and oopspam_frm_spam_entries in your database.
Hi @pr-sib
I’m not sure how WP Rollback works, but it sounds like it removes the database tables responsible for storing the data for spam and valid entries. Unless the plugin or you backed up the database, it seems there is no way to recover.@pr-sib please update the plugin.
The plugin update will fix the “SyntaxError” at checkout, but it won’t resolve the legitimate orders being flagged. Those are two separate issues.
It looks like WooCommerce’s Order Attribution isn’t working correctly on your site. This feature uses a small JavaScript snippet on the checkout page to collect metadata about how customers arrive. If that script is being interfered with, orders come in with no origin data, which is why OOPSpam flags them.
Disabling “Block orders from unknown origin” is the right call for now, but it’s worth investigating why the attribution data is missing. Did anything change recently on your site like a new plugin, an update, or any Cloudflare changes? I tested Order Attribution with WooCommerce 10.5 on my end and it worked fine, so something specific to your environment is likely the culprit.
Once orders are coming in with proper origin data, you’ll be able to re-enable that setting without false positives. Let us know what you find and we’re happy to help troubleshoot!The JSON error at checkout
Your site uses WooCommerce’s block-based checkout, which expects JSON responses from the server. When OOPSpam blocked an order, it was sending back a plain-text message instead and that’s what caused the “SyntaxError: Unexpected token ‘Y'” your customers ran into. We’ve pushed a fix so the error is returned in the right format. Once you update the plugin, customers will just see a clean inline message on the checkout page instead of everything breaking.
Why legitimate orders were getting flagged
This one ties back to your Cloudflare setup. WooCommerce tracks how customers arrive at your store using JavaScript cookies, but Cloudflare’s Rocket Loader and JS minification can mess with that. So the source data ends up empty. With “Block orders from unknown origin” turned on in OOPSpam, those orders were getting caught.
Until the update reaches you, a quick workaround is to either disable Rocket Loader in your Cloudflare dashboard (Speed → Optimization), add a Page Rule to exclude your checkout page from JS optimizations, or just temporarily turn off the “Block orders from unknown origin” option in OOPSpam’s WooCommerce settings.
The “Rate Limited” entries
Those aren’t related to your plugin’s rate limiting or Cloudflare that’s just the OOPSpam API quota on the Free plan. When it hits the limit, submissions go through and get logged as “Rate Limited” so nothing is blocked on your end. If you’re seeing it a lot, it likely means your volume is bumping up against the free tier.
The fix will be out in the next plugin update (likely today). Let us know if anything comes up in the meantime!@pr-sib Responded to your email.
Hi Philip,
Thanks for letting us know.
We are looking into this.
I will keep you updated.
Hi Susan,
Thank you for your feedback!
Our paid plans start at $23/month, and all plans include unlimited websites. If you have non-profit credentials, please feel free to reach out to our support team. We do offer discounts for non-profit organizations.
Many features such as Manual Moderation and several core WooCommerce fraud protection features remain available for free even if an account reaches the Free plan limits.
We hope you will consider updating your review, as it would mean a lot to our small team.
We will consider your feedback and discuss how to display lower prices more clearly on our website.Hi!
With custom forms, you can call our API and receive a spam score.
It doesn’t work with embedded forms as there is no reliable way to capture data from them. You can use our Zapier/Make app instead.
Thanks