[wp-meta] [Making WordPress.org] #7010: Unauthorized Swag Ordering via Guest User Checkout

Making WordPress.org noreply at wordpress.org
Thu May 25 09:40:59 UTC 2023

#7010: Unauthorized Swag Ordering via Guest User Checkout
 Reporter:  Ankit K Gupta                        |      Owner:  (none)
     Type:  defect (bug)                         |     Status:  new
 Priority:  high                                 |  Milestone:
Component:  Swag Store                           |   Keywords:  2nd-opinion
  (mercantile.wordpress.org)                     |

 Contributors of WP received an email informing them about the opportunity
 to order swag up to $25 by utilizing the coupon code ‘ThanksFor20’ here on
 this site https://mercantile.wordpress.org/.
 However, it has been observed that this coupon allows guest users to check
 out without requiring them to log in to the store. Consequently, if a
 person possesses the email ID of another contributor, they can easily
 order swag on their behalf and have it shipped to their own address while
 utilizing the coupon code.


 **Watch this screencast for detailed info:**

 **Steps to Reproduce:**

 1. Obtain the email ID of a contributor from a WordPress.org
 profile/Linkedin/Slack/Github profile and any other source.
 2. Visit the WP store website.
 3. Add swag items to the cart.
 4. Proceed to checkout as a guest user.
 5. Enter the email ID of the contributor as the recipient ( as captured
 from step-1)
 6. Apply the coupon code ‘ThanksFor20’.
 7. Complete the checkout process and add your own address.
 8. Verify that the order is successfully placed without requiring a login.

 **Expected Behavior:**

 The coupon code ‘ThanksFor20’ should be restricted to authenticated users
 only, preventing unauthorized individuals from ordering swag on behalf of
 other contributors.

 **Actual Behavior:**

 The coupon code ‘ThanksFor20’ allows guest users to complete the checkout
 process without logging in/validating user, enabling them to order swag
 items for someone else and utilize the coupon code themselves.


 Consistently reproducible.


 This bug allows unauthorized individuals to take advantage of the coupon
 code ‘ThanksFor20’ by ordering swag for other contributors without their
 consent. It could result in increased expenses and potential misuse of the
 ''**As a result, deserving contributors will not be able to order their
 swag as the 'ThanksFor20' coupon is valid for single use.**''

 ''Note: I obtained explicit consent from the person before utilizing her
 email ID for the purpose of this order and demonstrating the issue in the
 above video.

Ticket URL: <https://meta.trac.wordpress.org/ticket/7010>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list