Maybe a security issue

Hi, can you provide more information regarding your report.

Thank you

I created a new button for subscription following the steps:
Payments->Create New Button->Paypal Subscription
And I defined 30 euros as billing amount.

A new button with shortcode was created. I got that shortcode and added it to
a page. I used the inspector to check if the button worked well and I observed that there is a hidden input tag in which one can change the amount of money.

The tag is:
<input type="hidden" name="a3" value="30">

If I change the value of the tag, then a new billing amount is passed. The problem is that when I click to the submit button, the new amount is also passed to the paypal api.

• This reply was modified 4 years, 4 months ago by dndimitr.
• This reply was modified 4 years, 4 months ago by dndimitr.

Thank you for providing more information. I have submitted a message to the developers to investigate further your issue/findings.

Kind regards

It is normal to be able to inspect HTML code and change values of a form. However, after the payment, there is validation and checks that happens via the IPN notification. Thats the correct place to verify and handle this. If your customer makes an incorrect payment and the membership account is updated, let me know and I will investigate it.

You also have the option to use a button that you can create from your PayPal account which will remove this concern that you have:
https://simple-membership-plugin.com/creating-paypal-recurring-payment-button-membership-payment/

• This reply was modified 4 years, 4 months ago by wp.insider.

Hi, I tested what you said. I changed the amount of money inspecting the HTML code and I applied a transaction. The new amount is presented in Paypal sandbox page and I completed the payment. Then, a new account was created in the member list while there isn’t a transaction available in transaction list because “IPN product validation failed.”. However, this failure is also presented when I do not change the amount of money.

To conclude, when I test the subscription button without changing the amount of money manually by inspecting the html, some times I get

[07/15/2020 10:56 AM] – FAILURE: Funds have not been cleared yet. Transaction will be processed when the funds clear!
[07/15/2020 10:56 AM] – FAILURE: IPN product validation failed.

When I test the subscription button changing the amount of money manually by inspecting the html, some times I get the same failure.

In both two cases, the amount of money may or may not be added it to the merchant account balance. Some times, I also see the changed amount of money in the transaction list.

That “funds not cleared” is another issue with your PayPal account that you need to resolve first.

Basically, the paypal account setup is not fully complete so the funds are going into a pending state. You need to fix that by contacting PayPal support and completing your account setup.

The following post should be helpful:
https://simple-membership-plugin.com/paypal-transaction-error-funds-cleared-yet/