[wp-meta] [Making WordPress.org] #7010: Unauthorized Swag Ordering via Guest User Checkout
Making WordPress.org
noreply at wordpress.org
Thu May 25 22:11:06 UTC 2023
#7010: Unauthorized Swag Ordering via Guest User Checkout
---------------------------------------------------+----------------------
Reporter: Ankit K Gupta | Owner: (none)
Type: defect (bug) | Status: closed
Priority: high | Milestone:
Component: Swag Store (mercantile.wordpress.org) | Resolution: wontfix
Keywords: 2nd-opinion |
---------------------------------------------------+----------------------
Changes (by slash1andy):
* status: new => closed
* resolution: => wontfix
Comment:
Thanks for taking the time to report this.
Basically, I would not consider this an exploit or a bug, but a function
of having a coupon code that requires email validation. The only way to
pull this off is to know the coupon code (sent out via private email)and
then the email of a core contributor.
This is more social engineering than anything, in my opinion.
There's also limitations on order amounts, so by using that coupon code
with that email, it cannot be reproduced, as only 1 order is allowed per
email.
There is not a way to prevent this without explicitly forbidding guest
checkout (not something we are going to do), and also auto creating
accounts for all emails that received the coupon.
--
Ticket URL: <https://meta.trac.wordpress.org/ticket/7010#comment:1>
Making WordPress.org <https://meta.trac.wordpress.org/>
Making WordPress.org
More information about the wp-meta
mailing list