Vulnerability. Gift card codes accesible

Hi there,
we hope you’re doing well!

It really is strange what has happened to you. Could you confirm if you had our plugin, WC and WP updated to the latest version when this happened to you?

Please let me know.

Best regards.

Hola Juan,
Yes we were very concerned about this too. Your plugin and wordpress had the latest version, WC 9.0.2. I update everything every end of the month. Investigating this we realize this user has been using the website’s benefits “too much”, he has figure out how to receive more than he should. We also noticed the gift card codes we sent had consecutives numbers. So maybe mixing this with the detail we didn’t put attention to that the codes could be used by any user, not only by the recipient’s email address user, created this issue. He said… “the website just kept offering the discount so I kept purchasing”, until 3 am every 20 minutes. That’s all we’ve learned about this.
I hope this helps, thanks

Hello there,

The generation of gift card codes is random, so it is strange that they appear with consecutive numbers. Additionally, it should be possible to use the gift card only once for each order, until the balance is $0.

I just checked this locally and it works correctly.

If you need us to review that on your site, it may be best to do it on a test site. You can easily create one using the free WP Staging plugin.

Let us know any news.

Best regards.

Hi, I created the codes manually, I deleted the plugin now so I can’t check if I can create them consecutively, but I think I can. And as I said, he made 16 purchases, one for each gift card.

What I think could’ve helped is that only the user that received the gift card was abel to use it, not anyone.

Thanks