[wp-meta] [Making WordPress.org] #7010: Unauthorized Swag Ordering via Guest User Checkout
Making WordPress.org
noreply at wordpress.org
Thu May 25 09:40:59 UTC 2023
#7010: Unauthorized Swag Ordering via Guest User Checkout
-------------------------------------------------+-------------------------
Reporter: Ankit K Gupta | Owner: (none)
Type: defect (bug) | Status: new
Priority: high | Milestone:
Component: Swag Store | Keywords: 2nd-opinion
(mercantile.wordpress.org) |
-------------------------------------------------+-------------------------
**Description:**
Contributors of WP received an email informing them about the opportunity
to order swag up to $25 by utilizing the coupon code ‘ThanksFor20’ here on
this site https://mercantile.wordpress.org/.
However, it has been observed that this coupon allows guest users to check
out without requiring them to log in to the store. Consequently, if a
person possesses the email ID of another contributor, they can easily
order swag on their behalf and have it shipped to their own address while
utilizing the coupon code.
[[Image(https://i.imgur.com/92IpIm4.jpg)]]
**Watch this screencast for detailed info:**
https://screenpal.com/watch/c0hTi4VAmZH
**Steps to Reproduce:**
1. Obtain the email ID of a contributor from a WordPress.org
profile/Linkedin/Slack/Github profile and any other source.
2. Visit the WP store website.
3. Add swag items to the cart.
4. Proceed to checkout as a guest user.
5. Enter the email ID of the contributor as the recipient ( as captured
from step-1)
6. Apply the coupon code ‘ThanksFor20’.
7. Complete the checkout process and add your own address.
8. Verify that the order is successfully placed without requiring a login.
**Expected Behavior:**
The coupon code ‘ThanksFor20’ should be restricted to authenticated users
only, preventing unauthorized individuals from ordering swag on behalf of
other contributors.
**Actual Behavior:**
The coupon code ‘ThanksFor20’ allows guest users to complete the checkout
process without logging in/validating user, enabling them to order swag
items for someone else and utilize the coupon code themselves.
**Reproducibility:**
Consistently reproducible.
**Impact:**
This bug allows unauthorized individuals to take advantage of the coupon
code ‘ThanksFor20’ by ordering swag for other contributors without their
consent. It could result in increased expenses and potential misuse of the
promotion.
''**As a result, deserving contributors will not be able to order their
swag as the 'ThanksFor20' coupon is valid for single use.**''
''Note: I obtained explicit consent from the person before utilizing her
email ID for the purpose of this order and demonstrating the issue in the
above video.
''
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7010>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list