Home Forums WC Vendors Pro Support Serious Security Threat, Coupons System

NOTICE: We've Moved to a Ticket System for Support

As of August 31, 2017 (12am EST) our support forums will be retired (read-only), and we will be moving to a support ticket system.  This will allow us to better organize and answer support requests, and provide a more personalized experience as we assist our customers.

For the time being, we will leave our forums open for reading and learning while we work on creating a more robust Knowledge Base for everyone to use.

If you are a WC Vendors Pro customer please open a support ticket here. 

If you are a WC Vendors user please open a support ticket on the Wordpress.org forums.

The information on this forum is outdated and in most instances no longer relevant. Please be sure to check our documentation for the most up to date information.


Thank you to all of our customers!


Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #62235

    If coupons are active anybody can easily get 100% discount on any product.

    How to reproduce:
    1). Create a new vendors account or use your current one.
    2). Create a new coupon.

      a). On Usage Restrictions page manually add any of your existing product.
      b). Right click on added product in select2 field and Inspect Element.
      Ex: <input type=”hidden” class=”wc-product-search enhanced” value=”4729, (ADD AS MANY PRODUCT IDS AS YOU WANT HERE, NO MATTER WHO EVER IS SELLING IT)” tabindex=”-1″>
      c). Manually change the input field’s value to any existing products id.
      d). Make it 100% discount and save.

    3). Add this product to your cart and checkout with your Coupon Code.

    I tested this and anyone can get 100% discount or whatever amount they would like. Looks like there’s no backend validation.


    So– if someone soft hacks your site, you decline/cancel the order and ban them?


    That’s the only option.

    Incase any vendor is getting 100’s of orders everyday. He/She may not notice 10% or 20% discounts(hacked).

    I know this can be caught by vendors but it will be nice to have this fixed asap as it can create very serious issues.


    The only person who could actually apply these changes would be the site admin. I will take a look to be sure, though, and if this is an issue I will report it.

Viewing 4 posts - 1 through 4 (of 4 total)
  • The forum ‘WC Vendors Pro Support’ is closed to new topics and replies.