I wanted to submit a problem we had today with the built-in Magento 2.2.5 PayFlow Pro extension.

This is an extension we disabled a year ago and were not using due to issues with PayPal not fixing their zero dollar transaction authorizations and the slowness of orders processing. However today, despite this extension being disabled, a script began running that was exploiting this extension on our site to test fraudulent cards. They were occurring at a rate of 1 every second. 10000's of transaction authorizations occurred before PayPal alerted me.

We changed and then deleted the API credentials and also took other measures on our server but I wanted to alert the Magento community that this issue exists and other than disabling it there was no way to stop 10000's of test authorizations.

Our hosts said this "It does look like the URI used "/paypal/transparent/requestSecureToken/" is the Payflow pro place_order_url (app/code/Magento/Paypal/etc/config.xml) which confirms the requests were the culprit. It's difficult to know how these were still getting through even with Payflow disabled."

Thanks,

Martin