Intended Use or Security Flaw?

  • Resolved s0anes

    (@s0anes)


    1 year, 8 months ago

    Hi,

    I got sent a ‘Forgot Items in your Cart’ email today by my website as I have a user account and was testing it out (this account is admin with 2FA enabled). I clicked on this link to resume my cart from a different pc of which I recieved the email on however it took me to my cart and also somehow logged me in without having to input my username, password or 2FA code.

    Is this meant to happen, after clicking the link to resume the cart, it also resumes the login session (regardless of 2FA via Wordfence and being on a new pc?).

    For reference I now have a link I can click as many times as I want which log me straight into an admin account bypassing the 2FA set by Wordfence.

    Thanks!

    • This topic was modified 1 year, 8 months ago by s0anes.
Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Support oluisrael

    (@oluisrael)

    @s0anes I’m sorry about this experience you had with our plugin.

    First of all, this incident you analyzed isn’t meant to happen, and this is something we also discovered internally, and we’re already working on patching. We’re almost at the later stages of deploying some solutions to the next version update which is just a couple of days away that will require users/customers to login first before being able to access the cart content or continue the user session.

    Thank you for your understanding and cooperation on this.

    Plugin Support oluisrael

    (@oluisrael)

    @s0anes we have fixed the issue you reported. You can download and install this plugin copy here, as it already contains the patch.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Intended Use or Security Flaw?’ is closed to new replies.