Why can everyone see the order details of a customer on checkout page (bug?)

  • Resolved mau5

    (@mau5)


    6 years, 11 months ago

    Hi,

    I just saw that someone or a (search engine) bot (from Yandex) visited my Woocommerce shop checkout page from an order that was already paid a week ago.
    Someone or the bot visited this URL:

    https://domain.com/checkout/order-received/6364?key=wc_order_6b4230889Aff&utm_nooverride=1

    And you can see the order details of the customer.. How does someone know the URL of this page? And how can I disable or remove these pages to prevent this?

    Btw, I am not logged in and I am going to the URL in private mode in my browser and I can see everything: order details, bank account number, how much the order was etc.

    Thanks!

    • This topic was modified 6 years, 11 months ago by mau5.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support RK a11n

    (@riaanknoetze)

    It could be the customer saved the link in their browser favourites in order to return later. That said, no one from WooCommerce would have access to that link by default since the order key is randomly generated and is accessible through your site only.

    Joel Williams

    (@joelwills)

    Automattic Happiness Engineer

    Just to confirm on this, on the link you cannot see the user email, name, billing or shipping address. Only the order number, product, and price paid display, private information is hidden unless the user is logged in to their account.

    Bank account number of the customer should never show as it’s not entered, but your bank account number will show if you have BACS enabled (anyone who places an order can see that).

    I’ll close this ticket now but if you have any further questions please open a new ticket, thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Why can everyone see the order details of a customer on checkout page (bug?)’ is closed to new replies.