problem with order-receipt.php

  • Resolved SAY

    (@kalidarn)


    3 years ago

    Hello dear developers! Please tell me how you can force this hook:

    <?php do_action( 'woocommerce_receipt_' . $order->get_payment_method(), $order->get_id() ); ?>
    be processed on the server side and not on the user side? Maybe there is an opportunity to redirect to this hook:

    <?php do_action( 'woocommerce_receipt_' . $order->get_payment_method(), $order->get_id() ); ?>

    so that you can bypass this page: https://test.wpcart.ru/checkout/order-pay/49/?key=wc_order_pTrGJt9aDBLXe&order=49

    The thing is, on this page, any user in the open developer panel can change the value: SUM, for any. And thereby buy the product at any lowest price!

    Here is an example of how a user can easily change the price of a product!
    1

    After changing the price, and clicking on the button: Go to payment
    2

    The user can pay for the product at his own price, and not the offered price of the site.

    3

    I think this is a serious problem, especially if these are digital goods. Since the user gets access to download the product after such a payment!

    • This topic was modified 3 years ago by SAY.

    The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)
  • Abiola Ogodo

    (@oaoyadeyi)

    @kalidarn

    This is a fairly complex development topic. I’m going to leave it open for a bit to see if anyone is able to chime in to help you out.

    I can also recommend the WooCommerce Developer Resources Portal for resources on developing for WooCommerce.

    You can also visit the WooCommerce Facebook group or the #developers channel of the WooCommerce Community Slack. We’re lucky to have a great community of open-source developers for WooCommerce, and many of our developers hang out there, as well.

    Thread Starter SAY

    (@kalidarn)

    I’m on one of the sites, I prescribed a redirect in the plugin itself for payment so that the client does not linger on this page, but this is not quite the right approach to solve this problem. Since this redirect still displays the page for a few seconds, and only then there is a redirect to the payment system!

    Hi @kalidarn,

    If I understand correctly, that wouldn’t typically work since it would fail the server-side validation. Have you been able to alter an order like this and actually gain access to the downloads? If so, have you spoken to the payment gateway creator about it?

    If you can reproduce this using a built-in payment gateway or with one of the Automattic-made ones, please open up a security issue about it. Here’s the URL for where you can do that:

    https://automattic.com/security

    Let us know how it goes.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘problem with order-receipt.php’ is closed to new replies.