During the weekend, an order was placed through my companies webstore for one of our products. Based on the information in the order (among some other details), we know the order to be fraudulent. However, what is truly worrisome is that whoever placed the order managed to pay with a disabled payment method.
Our website shop only accepts Credit Card transactions, yet in Sales>Orders, the magento back end shows that the orders were paid by check/money order. As mentioned, this should not be possible due to the fact we have that option disabled in configuration. Also from the checkout on the front end, there is no visible way for making money orders or checks. It requires a credit card to be used to place the order.
Is a bug/exploit being used that is allowing for an outside source to place orders through disabled payment options, or is this an oversight on our end where while it is disabled there is someway to still place the order as a money order? We are currently using Magento Community v.18.104.22.168.
Any insight or feedback on this issue would be appreciated. Thanks!
EDIT/Update: We have since upgraded to 22.214.171.124 and have patched in any subsequent patches. This will in hopes prevent this from repeating itself. That being said, if anyone can provide any insight into how this may have happened, I would greatly appreciate it.
Are you still having the same issue? Is it resolved?
Please confirm so that I can have a look into it.