Conversation
supportOver the weekend, the xpub in my MCC data was changed on its own, causing me to lose several thousand dollars. Has anyone else experienced this?
We’ve had a couple reports of hacked sites in the past couple weeks. In the reports we’ve reviewed, the common factor was a vulnerable File Manager plugin, especially File Manager v8.0.2 or earlier. MyCryptoCheckout primarily operates on the backend and does not provide typical attack surfaces like public-facing uploads/forms or non-admin inputs. In other words, if an attacker modifies any MCC files, they generally already had access to the server and/or wp-admin via another compromise path. If you suspect your site has been hacked, we recommend: – Run Sucuri Scanner, remove any flagged/modified files – Check for any new Administrator users and remove them. – Update WordPress, and update/remove any file manager plugins. – Rotate passwords (WP admin + database if applicable). If you have any questions or need additional help. Contact us here – https://mycryptocheckout.com/contact/
@edward_plainview I never said the xpub/zpub changed on its own, rather the zpub is intact unchanged but the addresses being generated doesn’t belong to the zpub. My addresses were bc1 but now the start with 1. I scanned the site with both sucuri and wordfence and yet they didn’t find anything malicious. Anyway I have uninstall and deleted the plugin, I’m using something else and now I’m save. All orders are coming into my wallet.
the zpub is intact unchanged but the addresses being generated doesn’t belong to the zpub. In that case, a plugin / theme file has been modified that inserts their own address into the order. I’ve even seen examples of the hacker changing the Woocommerce files themselves.
The same crap happened again… I changed all my passwords and cleaned up all my data, but they changed the XPub again. I demand a statement and compensation; otherwise, I will use all available channels to share my experience and issue a warning.
Hi, We understand your frustration, but we need to be clear about the technical reality. MyCryptoCheckout cannot modify wallet addresses (xPub) on its own. For an xPub to be changed, the request must come from a logged in Administrator account. If these settings were changed again after you updated your passwords, it indicates that your environment is still compromised (e.g., via a vulnerable plugin, a backdoor script, or a hidden admin user). Regarding plugin security: MyCryptoCheckout is currently the largest crypto gateway for WordPress, with over 8,000 active installations. Our codebase is constantly audited by security researchers, and we take any potential vulnerability extremely seriously. If there were a flaw in the plugin itself, it would be affecting thousands of users. If you can point to a specific flaw in the plugin code, we are happy to investigate. If you need additional help analyzing your logs or securing your site, please feel free to email us.
We have released a new version of the plugin, v2.152, that has a security fix related to this. See this thread: https://wordpress.org/support/topic/is-the-api-being-hacked/
We’ve had a couple reports of hacked sites in the past couple weeks. In the reports we’ve reviewed, the common factor was a vulnerable File Manager plugin, especially File Manager v8.0.2 or earlier. MyCryptoCheckout primarily operates on the backend and does not provide typical attack surfaces like public-facing uploads/forms or non-admin inputs. In other words, if an attacker modifies any MCC files, they generally already had access to the server and/or wp-admin via another compromise path. If you suspect your site has been hacked, we recommend: – Run Sucuri Scanner, remove any flagged/modified files – Check for any new Administrator users and remove them. – Update WordPress, and update/remove any file manager plugins. – Rotate passwords (WP admin + database if applicable). If you have any questions or need additional help. Contact us here – https://mycryptocheckout.com/contact/
@edward_plainview I never said the xpub/zpub changed on its own, rather the zpub is intact unchanged but the addresses being generated doesn’t belong to the zpub. My addresses were bc1 but now the start with 1. I scanned the site with both sucuri and wordfence and yet they didn’t find anything malicious. Anyway I have uninstall and deleted the plugin, I’m using something else and now I’m save. All orders are coming into my wallet.
the zpub is intact unchanged but the addresses being generated doesn’t belong to the zpub. In that case, a plugin / theme file has been modified that inserts their own address into the order. I’ve even seen examples of the hacker changing the Woocommerce files themselves.
The same crap happened again… I changed all my passwords and cleaned up all my data, but they changed the XPub again. I demand a statement and compensation; otherwise, I will use all available channels to share my experience and issue a warning.
Hi, We understand your frustration, but we need to be clear about the technical reality. MyCryptoCheckout cannot modify wallet addresses (xPub) on its own. For an xPub to be changed, the request must come from a logged in Administrator account. If these settings were changed again after you updated your passwords, it indicates that your environment is still compromised (e.g., via a vulnerable plugin, a backdoor script, or a hidden admin user). Regarding plugin security: MyCryptoCheckout is currently the largest crypto gateway for WordPress, with over 8,000 active installations. Our codebase is constantly audited by security researchers, and we take any potential vulnerability extremely seriously. If there were a flaw in the plugin itself, it would be affecting thousands of users. If you can point to a specific flaw in the plugin code, we are happy to investigate. If you need additional help analyzing your logs or securing your site, please feel free to email us.
We have released a new version of the plugin, v2.152, that has a security fix related to this. See this thread: https://wordpress.org/support/topic/is-the-api-being-hacked/