[BUG] Order Attachment Showing for non order owners

  • Hello,

    Firstly, thanks for this great plugin!

    The plugin has a serious security bug.

    The Order Attachment can to display for any user, just trying the order id in the address bar of browser.
    Example: https://mystore.com/account/order/4556
    Result: https://pasteboard.co/H6iV7q0.png

    Fix: You just need to check if the order is from the requesting user. On this way, we can protect the attachment to the order’s owner.

    I would be very happy with this fix!

    Thank you!

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘[BUG] Order Attachment Showing for non order owners’ is closed to new replies.