[wp-meta] [Making WordPress.org] #7010: Unauthorized Swag Ordering via Guest User Checkout

Making WordPress.org noreply at wordpress.org
Thu May 25 22:11:06 UTC 2023

#7010: Unauthorized Swag Ordering via Guest User Checkout
 Reporter:  Ankit K Gupta                          |       Owner:  (none)
     Type:  defect (bug)                           |      Status:  closed
 Priority:  high                                   |   Milestone:
Component:  Swag Store (mercantile.wordpress.org)  |  Resolution:  wontfix
 Keywords:  2nd-opinion                            |
Changes (by slash1andy):

 * status:  new => closed
 * resolution:   => wontfix


 Thanks for taking the time to report this.

 Basically, I would not consider this an exploit or a bug, but a function
 of having a coupon code that requires email validation. The only way to
 pull this off is to know the coupon code (sent out via private email)and
 then the email of a core contributor.

 This is more social engineering than anything, in my opinion.

 There's also limitations on order amounts, so by using that coupon code
 with that email, it cannot be reproduced, as only 1 order is allowed per

 There is not a way to prevent this without explicitly forbidding guest
 checkout (not something we are going to do), and also auto creating
 accounts for all emails that received the coupon.

Ticket URL: <https://meta.trac.wordpress.org/ticket/7010#comment:1>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org

More information about the wp-meta mailing list