Serious Security Threat, Coupons System

Home Forums WC Vendors Pro Support Serious Security Threat, Coupons System

NOTICE: We've Moved to a Ticket System for Support

As of August 31, 2017 (12am EST) our support forums will be retired (read-only), and we will be moving to a support ticket system.  This will allow us to better organize and answer support requests, and provide a more personalized experience as we assist our customers.

For the time being, we will leave our forums open for reading and learning while we work on creating a more robust Knowledge Base for everyone to use.

If you are a WC Vendors Pro customer please open a support ticket here. 

If you are a WC Vendors user please open a support ticket on the Wordpress.org forums.

The information on this forum is outdated and in most instances no longer relevant. Please be sure to check our documentation for the most up to date information.

https://docs.wcvendors.com/

Thank you to all of our customers!

 

  • This topic has 3 replies, 2 voices, and was last updated 7 years ago by Anna.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • April 17, 2017 at 5:29 pm #62235
    Daman
    Participant

    If coupons are active anybody can easily get 100% discount on any product.

    How to reproduce:
    —————-
    1). Create a new vendors account or use your current one.
    2). Create a new coupon.

      a). On Usage Restrictions page manually add any of your existing product.
      b). Right click on added product in select2 field and Inspect Element.
      Ex: <input type=”hidden” class=”wc-product-search enhanced” value=”4729, (ADD AS MANY PRODUCT IDS AS YOU WANT HERE, NO MATTER WHO EVER IS SELLING IT)” tabindex=”-1″>
      c). Manually change the input field’s value to any existing products id.
      d). Make it 100% discount and save.

    3). Add this product to your cart and checkout with your Coupon Code.
    ——————-

    I tested this and anyone can get 100% discount or whatever amount they would like. Looks like there’s no backend validation.

    April 17, 2017 at 5:45 pm #62238
    Anna
    Member

    @daman
    So– if someone soft hacks your site, you decline/cancel the order and ban them?

    April 17, 2017 at 5:54 pm #62240
    Daman
    Participant

    @anna
    That’s the only option.

    Incase any vendor is getting 100’s of orders everyday. He/She may not notice 10% or 20% discounts(hacked).

    I know this can be caught by vendors but it will be nice to have this fixed asap as it can create very serious issues.

    April 17, 2017 at 11:51 pm #62271
    Anna
    Member

    The only person who could actually apply these changes would be the site admin. I will take a look to be sure, though, and if this is an issue I will report it.

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • The forum ‘WC Vendors Pro Support’ is closed to new topics and replies.