Can edit another venor items. WTF????? Big security issue!

  • Hello,

    I use free WCFM marketplace system in my page..

    Today I saw very big issue – I connect as Vendor to store and I am able to edit another vendors store and items.

    WTF??????

Viewing 8 replies - 1 through 8 (of 8 total)

  • can you give step by step how you did that?

    Thread Starter mamandis

    (@mamandis)

    Thank you for fat reply!

    At first, as I told, I created webpage – marketplace with WCFM marketplace plugin (which is very comfortable), have some vendors there, one of them I have a store there (created my own store in my page).

    Today I managed sth in CSS..

    Then opened incognito mode and connected to my store as vendor (saw my store’s dashboard – ok), then opened items page (same account), opened another vendor’s item (just for checking), saw the button, under the price, “product catalog” or sth like this – do not remember exactly, cause my first action was to hide it thru CSS (that vendors do not see this issue)..

    P.S. Tried different vendors – can edit others -> Connected as simple VENDOR.


    Help, please! 8#

    tried it. not repeatable.

    Thread Starter mamandis

    (@mamandis)

    What do you mean, @looknear , by “tried it. not repeatable”?

    Today I checked the account of a separated vendor (yesterday I tried to edit a product from another store) and saw that the product I edited yesterday now belongs to the store I edited with.

    It is very very big security issue..

    P.S. Are you, @looknear, developer of WTMC marketplace? I would ask you directly later in case ??

    I am not. just a user. i tired the steps you specified – without getting the same issue. the vendor in the anonymous browser could not edit other products which do not belong to him.

    So – please specify a detailed step-by-step, maybe with some screenshots – on how to reproduce this issue.

    IT IS A BIG ISSUE, i agree, if it is true.

    so – we must double verify it to see that we all get the same results.

    Thread Starter mamandis

    (@mamandis)

    Sorry for late reply – Easter.. Wish you, @looknear , spent it good too. ??

    I made a video – connected as Vendor “Valenti” and edited another vendor’s item and item I edited became mine.. It is big ISSUE.


    Video:

    https://file.io/cj0PJWqg3uLm

    Take a look, please, and let me know what to do..

    item was deleted…

    maybe youtube?…

    Thread Starter mamandis

    (@mamandis)

    Sorry @looknear ,

    Now I inserted it in google drive, so should be accessible.

    https://drive.google.com/file/d/1ZN4F8lPeQnD1-vxWzG8X6Nv1LFlD9YMg/view?usp=share_link

    P.S. Valenti is simple vendor, same as Felt4you vendor.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Can edit another venor items. WTF????? Big security issue!’ is closed to new replies.