Latest Theme Update - vulnerable and sending spam!
We have the latest version of Classipress and now it's vulnerable and sending spam by someone or bots. We have recatpcha enabled since day 1, so it's not related to that. I asked my hosting provider and here is their reply:
=========================
192.159.103.131 - - [11/Nov/2021:23:15:28 -0500] "POST /
wp-login.php?action=register HTTP/1.1" 302 - "http://i-resell.com/
wp-login.php?action=register" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 YaBrowser/18.1.1.840 Yowser/2.5 Safari/537.36"
192.159.103.131 - - [11/Nov/2021:23:15:29 -0500] "GET /
wp-login.php?checkemail=registered HTTP/1.1" 302 - "http://i-resell.com/
wp-login.php?action=register" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 YaBrowser/18.1.1.840 Yowser/2.5 Safari/537.36"
192.159.103.131 - - [11/Nov/2021:23:15:30 -0500] "GET /login/?checkemail=registered HTTP/1.1" 200 33288 "http://i-resell.com/
wp-login.php?checkemail=registered" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 YaBrowser/18.1.1.840 Yowser/2.5 Safari/537.36"
==
The emails are still being sent from this website. On checking further, this domain is something related to the classified ads and the emails are sent with the login credentials of the customer that recently registers on this website.
As per the logs above the ip 192.159.103.131 registered on your website using the SignUp button on the top right corner which in turn: redirects to the link http//i-resell.com/
wp-login.php?action=register and once they signup the emails are sent from this page.
If you think those registrations shouldn't be happening at such an enormous amount, then please set up a reCaptcha at the
wp-login.php page as explained in
https://wordpress.org/support/topic/...on/#post-11332
=========================
I have enabled a different theme for now because the mail queue on the server keeps filling up due to this. Please help!