Make WordPress Core

Opened 9 months ago

Last modified 8 months ago

#60161 new defect (bug)

Comments on pages where comments are not allowed

Reported by: is0ph's profile is0ph Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 6.4.2
Component: Comments Keywords: needs-screenshots needs-testing-info
Focuses: Cc:

Description

Recently I’ve had comment moderation requests on a site where comments are not allowed (both in the Settings > Comments and in the page Settings). I don’t know how these comments are submitted. The targetted page is the Privacy Policy page.

Change History (7)

This ticket was mentioned in Slack in #core-test by webtechpooja. View the logs.


9 months ago

#2 follow-up: @webtechpooja
9 months ago

  • Keywords needs-screenshots needs-testing-info added

Hi @is0ph

Thanks for submitting to Trac!

Recently, we discussed this ticket in our bi-weekly Test team triage session and commenting here what we found:

After reading your comment, it looks like the functionality you're talking about isn't part of the core WordPress software -- it comes from one of your plugins.
But before marking it invalid and closing this ticket, I want to be sure, so it would be great if you could provide more info regarding this issue. Please provide screenshots or more step-by-step information to check this issue. Thanks

#3 @acurran
9 months ago

I wish to concur with the submitter of this ticket. I too have noticed in recent days a number of comments/trackbacks submitted on websites that have commenting & trackbacks turned off. I have never noticed an issue like this before (I've been managing WordPress websites for over 15 years). I manage over 50 websites for my clients and in the last week or two I have seen some spam comments and trackbacks coming in from various websites where commenting was completely disabled. I've seen comments on media pages, posts and mostly on home pages. Most are trackbacks but at least one was a regular comment. They all are spamming pharmaceuticals and the website www.onlypharmacies.com has appeared in a few of them.

The first case I looked into, I checked and verified that commenting was turned off in the settings and also on the individual post that was targeted. It seemed strange but I put it down to some weird one-off anomaly. But after getting some more on different websites, I really think there is something new going on with WordPress. Either someone has discovered an exiting vulnerability that allows comments and/or trackbacks to be submitted when commenting is disabled, or a new vulnerability has been recently introduced. I'm leaning towards the former because, just checking on one case right now, I see that the site is still on WP version 6.3.2. (I've documented this example here - https://imgur.com/vzGWTVQ)

#4 in reply to: ↑ 2 @is0ph
9 months ago

Replying to webtechpooja:

Thanks for your reply.

I’ve had this problem on two sites, both running the latest version of WordPress (6.4.2 at the moment) with up-to-date extensions (one is set to auto-update). The targetted pages were either Home or Privacy Policy. Both sites use a child theme of Twenty-Seventeen and Gutenberg block editing.

Here are some screenshots, excuse my french.

https://sophie-g.net/screenshots/Commentaires — WordPress.jpg

https://sophie-g.net/screenshots/R%C3%A9glages%20des%20commentaires%20%E2%80%94%20WordPress.jpg

https://sophie-g.net/screenshots/Modifier la page « Politique de confidentialité » — WordPress.jpg

Last edited 9 months ago by is0ph (previous) (diff)

#5 @acurran
9 months ago

They keep coming in, 3 more today, 3 different websites. All on trackbacks on home page where Allow comments is OFF. Two of the websites running WP 6.4.2 and one running 6.3.2.

#6 @acurran
8 months ago

Log activity may help shed some light. This is a case where the spammer keeps spamming a media file. I turned off media attachment pages but still keeps happening:

109.248.138.36 - - [26/Jan/2024:11:06:01 +0000] "POST /wp-comments-post.php HTTP/1.1" 302 0 "https://www.migrationbureau.com/canada/double-decker-bus-57503_960_720/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-"
109.248.138.36 - - [26/Jan/2024:11:06:03 +0000] "GET /canada/double-decker-bus-57503_960_720/?unapproved=11&moderation-hash=f762b6ec4f607d99f195530a6ea0f962 HTTP/1.1" 499 0 "https://www.migrationbureau.com/wp-comments-post.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" "-"

and this one is on a different website - commenting & trackbacks is disabled sitewide and also on the individual page:

34.71.189.56 - - [26/Jan/2024:09:02:45 +0000] "POST /wp-trackback.php?page_id=11/11 HTTP/1.1" 404 59 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.106 Safari/537.36" "-"

#7 @nxmndr
8 months ago

Hosting in the hundreds of websites here and I have seen a surge of spam recently. Had to turn off comments and pingbacks for all past posts. This can be done with SQL (or via the multi-edit posts, but this might not cover all post types) :

update wp_posts set comment_status = 'closed', ping_status = 'closed'
where post_type in ('page', 'attachment', 'article');

Make sure to check the values in the DB as some pages still have 'open' due to being another type / created by an extension.

Last edited 8 months ago by nxmndr (previous) (diff)
Note: See TracTickets for help on using tickets.