Woocommerce security hole

  • Resolved fesarlis

    (@fesarlis)


    5 years, 7 months ago

    Consider the following scenario:

    A Woocommerce customer is logged in using the frontend.

    He enters “https://mysite.com/wp-admin/index.php”

    He is now entered the backend. This shouldn’t be allowed in the first place. I understand that your plugin just hides the login, but this should be an option at least for Woocommerce. The normal behaviour would be that the customer cannot see a dashboard.

    MORE IMPORTANT: If the customer tries to logout from the dashboard, he is able to see the HIDDEN URL in the browser’s status bar when hovering over the ‘Logout’ link.

Viewing 4 replies - 1 through 4 (of 4 total)

  • the same thing I have asked. no response. what is the alternative – any ideas?

    https://www.ads-software.com/support/topic/hide-url-for-user-roles/

    Plugin Author NicolasKulka

    (@nicolaskulka)

    If clients can connect, there is no interest in hiding the login URL.

    Hia – not really – the Login is done through the page front end, so the previous still applies.

    Not criticising your PlugIn. It does, what it does. Just, if this is not the intention, it should be made obvious to the users, as most people will not even notice this security “flaw”.

    Thx Nicolas.

    Thread Starter fesarlis

    (@fesarlis)

    I agree with hskokanek. As far as Woocommerce is concerned, the whole point in using this plugin is prevent simple customers from accessing the dashboard (even if they have no permission to do anything). To put it in another way, what is the point of hiding the login URL if ANYONE can register as a customer and see it?

    My workaround is to disable wp-admin and wp-login.php in web server level. The reason I am using this plugin is because of a side-effect it has. If I don’t use it, customers cannot logout using the logout endpoint of WC. The endpoint obviously uses wp-login.php and they get a 403 error because they are blocked on server level. It is worth noting that this behaviour did not occur in older versions of WC (eg. 2.2). By using this plugin, and perhaps because the URL is changed, customer logout still works.

    • This reply was modified 5 years, 7 months ago by fesarlis.
Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Woocommerce security hole’ is closed to new replies.