iRich Bingo JILI Slots free download.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved

(@barold01)

Hi there,

We’ve had a bug report sent our way relating to a potential vulnerability in the PayPal payment process. The result of this vulnerability is that a user could submit an order to PayPal, but override the price. So, the user could order $100 worth of goods, but only pay $1 for them.

I’ll copy paste the bug report below, but I’ve stripped out any URLs, can provide confidentially. Woudl like to understand if this is a known bug with Woocommerce?

_______

Description
Insecure direct object references (IDOR) are a type of access control vulnerability that arises when an application uses user-supplied input to access objects directly.

Reproduction:

Go to main website add products in cart.
Proceed to checkout and click the "proceed to paypal" button:

Intercept response to the request (with software such as Burp) - see the three price values (for price, tax and shipping):

Modify those three value parameters, then forward the response:

Price is manipulated and request is forwarded to Paypal, who charge the price you have set:

Completing the Paypal payment returns to the store and completes the transaction as though you have purchased at full price:

Impact:
Any product from the website can be purchased for a very low price eg $1-$2.

This leads to high impact on the website.

Additional Information
Vulnerability Rating Taxonomy Classification:
Broken Access Control (BAC)

Viewing 8 replies - 1 through 8 (of 8 total)

Juan G. (woo-hc)

(@judagutor)

2 years, 8 months ago

Hi @barold01!

Thank you for reporting it!

To know more about your setup and further check into this, kindly provide us your System Status; you can find it via WooCommerce > Status. Select ‘Get system report’ and then ‘Copy for support’. Once you do this, paste in here your response.

Thanks!

Thread Starter

barold01

(@barold01)

2 years, 8 months ago

Hi Juan,

Pasting the report below. Once again stripped out any URLs as if there’s an active bug I don’t want to publicise which website it is appearing on. Thanks. Seb


### WordPress Environment ###

WordPress address (URL): 
Site address (URL): 
WC Version: 6.3.1
REST API Version: ? 6.3.1
WC Blocks Version: ? 6.9.0
Action Scheduler Version: ? 3.4.0
WC Admin Version: ? 3.2.1
Log Directory Writable: ?
WP Version: 5.9.2
WP Multisite: ?
WP Memory Limit: 512 MB
WP Debug Mode: –
WP Cron: ?
Language: en_GB
External object cache: ?

### Server Environment ###

Server Info: Apache
PHP Version: 8.0.16
PHP Post Max Size: 100 MB
PHP Time Limit: 3600
PHP Max Input Vars: 10000
cURL Version: 7.74.0
OpenSSL/1.1.1k

SUHOSIN Installed: –
MySQL Version: 5.7.36-39-log
Max Upload Size: 1 MB
Default Timezone is UTC: ?
fsockopen/cURL: ?
SoapClient: ?
DOMDocument: ?
GZip: ?
Multibyte String: ?
Remote Post: ?
Remote Get: ?

### Database ###

WC Database Version: 5.9.0
WC Database Prefix: wp_
Total Database Size: 2790.46MB
Database Data Size: 2213.84MB
Database Index Size: 576.62MB
wp_woocommerce_sessions: Data: 0.05MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_api_keys: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_attribute_taxonomies: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_downloadable_product_permissions: Data: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_woocommerce_order_items: Data: 0.08MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_order_itemmeta: Data: 0.36MB + Index: 0.27MB + Engine InnoDB
wp_woocommerce_tax_rates: Data: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_woocommerce_tax_rate_locations: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_shipping_zones: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_woocommerce_shipping_zone_locations: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_shipping_zone_methods: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_woocommerce_payment_tokens: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_woocommerce_payment_tokenmeta: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_woocommerce_log: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_actionscheduler_actions: Data: 0.02MB + Index: 0.13MB + Engine InnoDB
wp_2_actionscheduler_claims: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_actionscheduler_groups: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_actionscheduler_logs: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_b2s_network_insights: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_b2s_posts: Data: 0.02MB + Index: 0.14MB + Engine InnoDB
wp_2_b2s_posts_drafts: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_b2s_posts_favorites: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_b2s_posts_insights: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_b2s_posts_network_details: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_b2s_posts_sched_details: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_b2s_user: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_2_b2s_user_contact: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_b2s_user_network_settings: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_cli_cookie_scan: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_cli_cookie_scan_categories: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_cli_cookie_scan_cookies: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_cli_cookie_scan_url: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_cli_scripts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_commentmeta: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_comments: Data: 0.02MB + Index: 0.08MB + Engine InnoDB
wp_2_hfcm_scripts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_links: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_ninja_table_items: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_options: Data: 3.06MB + Index: 0.03MB + Engine InnoDB
wp_2_postmeta: Data: 11.48MB + Index: 7.02MB + Engine InnoDB
wp_2_posts: Data: 3.11MB + Index: 0.50MB + Engine InnoDB
wp_2_termmeta: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_terms: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_term_relationships: Data: 0.13MB + Index: 0.09MB + Engine InnoDB
wp_2_term_taxonomy: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_vxcf_mailchimp: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_vxcf_mailchimp_accounts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_vxcf_mailchimp_log: Data: 0.13MB + Index: 0.02MB + Engine InnoDB
wp_2_wpmailsmtp_debug_events: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_wpmailsmtp_tasks_meta: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_2_yoast_indexable: Data: 1.52MB + Index: 0.89MB + Engine InnoDB
wp_2_yoast_indexable_hierarchy: Data: 0.05MB + Index: 0.05MB + Engine InnoDB
wp_2_yoast_migrations: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_2_yoast_primary_term: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_2_yoast_prominent_words: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_2_yoast_seo_links: Data: 0.25MB + Index: 0.22MB + Engine InnoDB
wp_actionscheduler_actions: Data: 0.09MB + Index: 0.13MB + Engine InnoDB
wp_actionscheduler_claims: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_actionscheduler_groups: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_actionscheduler_logs: Data: 0.06MB + Index: 0.03MB + Engine InnoDB
wp_b2s_network_insights: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_b2s_posts: Data: 0.02MB + Index: 0.14MB + Engine InnoDB
wp_b2s_posts_drafts: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_b2s_posts_favorites: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_b2s_posts_insights: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_b2s_posts_network_details: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_b2s_posts_sched_details: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_b2s_user: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_b2s_user_contact: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_b2s_user_network_settings: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_blogmeta: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_blogs: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_blog_versions: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_caos_webfonts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_caos_webfonts_subsets: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_cli_cookie_scan: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_cli_cookie_scan_categories: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_cli_cookie_scan_cookies: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_cli_cookie_scan_url: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_cli_scripts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_commentmeta: Data: 4.05MB + Index: 0.34MB + Engine InnoDB
wp_comments: Data: 3.34MB + Index: 0.55MB + Engine InnoDB
wp_ctf_feed_locator: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_fvm_cache: Data: 6.52MB + Index: 0.05MB + Engine InnoDB
wp_fvm_logs: Data: 39.08MB + Index: 1.77MB + Engine InnoDB
wp_hfcm_scripts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icl_content_status: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icl_core_status: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icl_flags: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icl_languages: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_icl_languages_translations: Data: 0.19MB + Index: 0.09MB + Engine InnoDB
wp_icl_locale_map: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icl_message_status: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_icl_mo_files_domains: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icl_node: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icl_reminders: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icl_strings: Data: 4.52MB + Index: 6.89MB + Engine InnoDB
wp_icl_string_packages: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icl_string_pages: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_icl_string_positions: Data: 1.52MB + Index: 0.25MB + Engine InnoDB
wp_icl_string_status: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icl_string_translations: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_icl_string_urls: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icl_translate: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icl_translate_job: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icl_translations: Data: 2.52MB + Index: 5.03MB + Engine InnoDB
wp_icl_translation_batches: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icl_translation_downloads: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icl_translation_status: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_icwp_wpsf_audit_trail: Data: 0.05MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_events: Data: 1.52MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_geoip: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_ip_lists: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_notes: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_scanner: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_scanq: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_sessions: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_spambot_comments_filter: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_statistics: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_icwp_wpsf_traffic: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_importer_files: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_importer_log: Data: 41.55MB + Index: 0.00MB + Engine InnoDB
wp_i_world_map: Data: 0.19MB + Index: 0.00MB + Engine InnoDB
wp_layerslider: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_layerslider_revisions: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_links: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_litespeed_img_optm: Data: 0.02MB + Index: 0.09MB + Engine InnoDB
wp_litespeed_optimizer: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_ninja_table_items: Data: 0.06MB + Index: 0.00MB + Engine InnoDB
wp_options: Data: 8.38MB + Index: 2.20MB + Engine InnoDB
wp_pantheon_sessions: Data: 0.05MB + Index: 0.03MB + Engine InnoDB
wp_partnerdata: Data: 0.52MB + Index: 0.00MB + Engine InnoDB
wp_pegasaas_api_request: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pegasaas_page_cache: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pegasaas_page_config: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pegasaas_performance_scan: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pegasaas_static_asset: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pmxe_exports: Data: 1.50MB + Index: 0.00MB + Engine InnoDB
wp_pmxe_google_cats: Data: 0.38MB + Index: 0.00MB + Engine InnoDB
wp_pmxe_posts: Data: 0.05MB + Index: 0.00MB + Engine InnoDB
wp_pmxe_templates: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pmxi_files: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pmxi_history: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pmxi_images: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_pmxi_imports: Data: 0.03MB + Index: 0.00MB + Engine InnoDB
wp_pmxi_posts: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_pmxi_templates: Data: 0.03MB + Index: 0.00MB + Engine InnoDB
wp_postmeta: Data: 994.98MB + Index: 248.75MB + Engine InnoDB
wp_posts: Data: 189.69MB + Index: 29.05MB + Engine InnoDB
wp_ppc_exceptions: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_ppc_exception_items: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_ppc_roles: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_pp_groups: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_pp_group_members: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_registration_log: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_revslider_css: Data: 0.13MB + Index: 0.00MB + Engine InnoDB
wp_revslider_css_bkp: Data: 0.13MB + Index: 0.00MB + Engine InnoDB
wp_revslider_layer_animations: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_revslider_layer_animations_bkp: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_revslider_navigations: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_revslider_navigations_bkp: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_revslider_sliders: Data: 0.03MB + Index: 0.00MB + Engine InnoDB
wp_revslider_sliders_bkp: Data: 0.03MB + Index: 0.00MB + Engine InnoDB
wp_revslider_slides: Data: 0.34MB + Index: 0.00MB + Engine InnoDB
wp_revslider_slides_bkp: Data: 0.34MB + Index: 0.00MB + Engine InnoDB
wp_revslider_static_slides: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_revslider_static_slides_bkp: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_signups: Data: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_site: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_sitemeta: Data: 1.02MB + Index: 0.03MB + Engine InnoDB
wp_smush_dir_images: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_termmeta: Data: 0.11MB + Index: 0.16MB + Engine InnoDB
wp_terms: Data: 1.06MB + Index: 0.11MB + Engine InnoDB
wp_term_relationships: Data: 6.39MB + Index: 3.45MB + Engine InnoDB
wp_term_taxonomy: Data: 1.06MB + Index: 0.13MB + Engine InnoDB
wp_tm_taskmeta: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_tm_tasks: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_trp_dictionary_en_es_es: Data: 0.06MB + Index: 0.05MB + Engine InnoDB
wp_trp_dictionary_en_gb_de_de: Data: 125.50MB + Index: 34.84MB + Engine InnoDB
wp_trp_dictionary_en_gb_es_es: Data: 143.44MB + Index: 52.98MB + Engine InnoDB
wp_trp_dictionary_en_gb_fr_fr: Data: 120.41MB + Index: 34.91MB + Engine InnoDB
wp_trp_dictionary_en_gb_it_it: Data: 118.52MB + Index: 32.81MB + Engine InnoDB
wp_trp_dictionary_en_gb_pt_br: Data: 115.41MB + Index: 31.95MB + Engine InnoDB
wp_trp_gettext_de_de: Data: 1.36MB + Index: 0.83MB + Engine InnoDB
wp_trp_gettext_en: Data: 0.19MB + Index: 0.23MB + Engine InnoDB
wp_trp_gettext_en_au: Data: 0.06MB + Index: 0.05MB + Engine InnoDB
wp_trp_gettext_en_gb: Data: 1.42MB + Index: 1.89MB + Engine InnoDB
wp_trp_gettext_es_es: Data: 1.50MB + Index: 0.88MB + Engine InnoDB
wp_trp_gettext_fr_fr: Data: 1.50MB + Index: 0.78MB + Engine InnoDB
wp_trp_gettext_it_it: Data: 2.31MB + Index: 0.84MB + Engine InnoDB
wp_trp_gettext_pt_br: Data: 1.48MB + Index: 0.78MB + Engine InnoDB
wp_trp_machine_translation_log: Data: 9.52MB + Index: 0.05MB + Engine InnoDB
wp_trp_original_meta: Data: 3.52MB + Index: 5.38MB + Engine InnoDB
wp_trp_original_strings: Data: 8.52MB + Index: 7.55MB + Engine InnoDB
wp_usermeta: Data: 1.16MB + Index: 0.14MB + Engine InnoDB
wp_users: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_vxcf_mailchimp: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_vxcf_mailchimp_accounts: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_vxcf_mailchimp_log: Data: 143.64MB + Index: 0.38MB + Engine InnoDB
wp_wcpdf_invoice_number: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wcpdf_packing_slip_number: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_admin_notes: Data: 0.06MB + Index: 0.00MB + Engine InnoDB
wp_wc_admin_note_actions: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_category_lookup: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_customer_lookup: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_download_log: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_order_coupon_lookup: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_order_product_lookup: Data: 0.06MB + Index: 0.06MB + Engine InnoDB
wp_wc_order_stats: Data: 0.06MB + Index: 0.05MB + Engine InnoDB
wp_wc_order_tax_lookup: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_product_attributes_lookup: Data: 0.02MB + Index: 0.03MB + Engine InnoDB
wp_wc_product_meta_lookup: Data: 0.06MB + Index: 0.09MB + Engine InnoDB
wp_wc_rate_limits: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_reserved_stock: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wc_tax_rate_classes: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wc_webhooks: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wfblockediplog: Data: 0.05MB + Index: 0.00MB + Engine InnoDB
wp_wfblocks7: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_wfconfig: Data: 3.27MB + Index: 0.00MB + Engine InnoDB
wp_wfcrawlers: Data: 0.05MB + Index: 0.00MB + Engine InnoDB
wp_wffilechanges: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wffilemods: Data: 8.52MB + Index: 0.00MB + Engine InnoDB
wp_wfhits: Data: 2.02MB + Index: 0.22MB + Engine InnoDB
wp_wfhoover: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wfissues: Data: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_wfknownfilelist: Data: 3.52MB + Index: 0.00MB + Engine InnoDB
wp_wflivetraffichuman: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wflocs: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wflogins: Data: 1.02MB + Index: 0.16MB + Engine InnoDB
wp_wfls_2fa_secrets: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wfls_settings: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wfnotifications: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wfpendingissues: Data: 0.02MB + Index: 0.06MB + Engine InnoDB
wp_wfreversecache: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wfsnipcache: Data: 0.02MB + Index: 0.05MB + Engine InnoDB
wp_wfstatus: Data: 0.13MB + Index: 0.09MB + Engine InnoDB
wp_wftrafficrates: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wfwafconfig: Data: 3.02MB + Index: 0.00MB + Engine InnoDB
wp_woof_query_cache: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_wpfm_backup: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wpmailsmtp_debug_events: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wpmailsmtp_tasks_meta: Data: 0.13MB + Index: 0.00MB + Engine InnoDB
wp_wp_criticalcss_api_queue: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wp_criticalcss_processed_items: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wp_criticalcss_template_log: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_wp_criticalcss_web_check_queue: Data: 0.02MB + Index: 0.00MB + Engine InnoDB
wp_yoast_indexable: Data: 34.56MB + Index: 37.80MB + Engine InnoDB
wp_yoast_indexable_hierarchy: Data: 3.44MB + Index: 5.17MB + Engine InnoDB
wp_yoast_migrations: Data: 0.02MB + Index: 0.02MB + Engine InnoDB
wp_yoast_primary_term: Data: 0.09MB + Index: 0.11MB + Engine InnoDB
wp_yoast_prominent_words: Data: 0.23MB + Index: 0.39MB + Engine InnoDB
wp_yoast_seo_links: Data: 18.55MB + Index: 13.75MB + Engine InnoDB
wp_yoast_seo_meta: Data: 0.41MB + Index: 0.00MB + Engine InnoDB

### Post Type Counts ###

acf: 1
acf-field: 94
acf-field-group: 14
attachment: 4899
awards: 35
cookielawinfo: 47
custom_css: 1
epkb_post_type_1: 104
eventlocations: 23
events: 98
flamingo_contact: 53453
flamingo_inbound: 119866
jc-imports: 1
language_switcher: 7
mc4wp-form: 2
nav_menu_item: 276
ninja-table: 28
oembed_cache: 1039
page: 120
partners: 143
portfolio: 47
post: 878
product: 36
product_variation: 276
revision: 19
saswp: 1
shop_coupon: 15
shop_order: 233
shop_order_refund: 7
sp_wp_carousel: 1
templatera: 9
vc_grid_item: 4
vc_settings_preset: 3
wp-timeline: 23
wpcf7_contact_form: 49
wpcf7r_action: 15
wphb_minify_group: 29
wptl_scbd: 1

### Security ###

Secure connection (HTTPS): ?
Hide errors from visitors: ?

### Active Plugins (82) ###

Ultimate Addons for WPBakery Page Builder: by Brainstorm Force – 3.19.11
Advanced Custom Fields: by Delicious Brains – 5.12
Akismet Anti-Spam: by Automattic – 4.2.2
Open Currency Converter: by David Artiss – 1.4.5
Before and After Slider for VC: by Gambit Technologies Inc. – 1.4
Conditional Fields for Contact Form 7: by Jules Colle – 2.1.2
Contact Form 7 - Datalist: by Stuart Clark – 1.1
CF7 to Webhook: by Mário Valney
Vizir Software Studio – 2.2.4

Classic Editor: by WordPress Contributors – 1.6.2
Contact Form 7 - Dynamic Text Extension: by Chris Mavricos
SevenSpark – 2.0.3

Contact Form 7: by Takayuki Miyoshi – 5.5.6
Custom Post Type Permalinks: by Toro_Unit – 3.4.5
Custom Shortcodes: by Sebastian Simpson – 1.0
Custom Twitter Feeds: by Smash Balloon – 1.8.4
Disable Cart Fragments: by Optimocha – 2.0
Duplicate Page: by mndpsingh287 – 4.4.8
Knowledge Base for Documents and FAQs: by Echo Plugins – 9.2.1
KB - Widgets: by Echo Plugins – 1.9.3
Enable Media Replace: by ShortPixel – 3.6.3
Fast Velocity Minify: by Raul Peixoto – 3.2.6
Flamingo: by Takayuki Miyoshi – 2.2.3
Geolocation IP Detection: by Yellow Tree (Benjamin Pick) – 5.0.0
HandL UTM Grabber: by Haktan Suren – 2.7.22
Header Footer Code Manager: by 99robots – 1.1.18
OMGF: by Daan from FFW.Press – 5.0.5
Image Map Pro: by Webcraft Plugins Ltd. – 5.3.1
Jquery Validation For Contact Form 7 (Lite): by Dnesscarkey – 5.2
WPBakery Page Builder: by Michael M - WPBakery.com – 6.8.0
Partner Import: by Sebastian Simpson – 1.0
Awards: by Sebastian Simpson – 1.0
Events: by Sebastian Simpson – 1.0
ACF Photo Gallery Field: by Navneil Naicker – 1.7.8
Ninja Tables Pro: by WPManageNinja – 4.1.6
Ninja Tables: by WPManageNinja LLC – 4.1.12
Page scroll to id: by malihu – 1.7.5
Partners Selector: by PWP –
Pofo Addons: by Themezaa Team – 1.4.1
Printify Shipping Method: by Printify – 2.5
Public Post Preview: by Dominik Schilling – 2.9.3
Really Simple SSL: by Really Simple Plugins – 5.3.0
Safe SVG: by 10up – 1.9.10
Scheduled Post Trigger: by Jennifer Moss - Moss Web Works – 3.0
Search Exclude: by Roman Pronskiy – 1.2.6
Search & Filter: by Code Amp – 1.2.14
Select and Multi-Select Field for Contact Form 7: by Yash Baldawa – 1.1
Shortcodes Ultimate: by Vladimir Anokhin – 5.12.0
Templatera: by WPBakery – 1.1.12
Text Effects for Visual Composer: by Gambit Technologies
Inc – 1.2-dev2

TranslatePress - Customisations: by Sebastian Simpson – 1.0
TranslatePress - Multilingual: by Cozmoslabs
Razvan Mocanu
Madalin Ungureanu
Cristophor Hurduban – 2.2.2

TranslatePress - Personal: by Cozmoslabs
Razvan Mocanu
Madalin Ungureanu – 1.0.7

User Role Editor: by Vladimir Garagulya – 4.61.2
WPBakery Page Builder Clipboard: by bitorbit – 5.0.2
Open Graph and Twitter Card Tags: by Webdados – 3.1.2
WooCommerce Breadcrumbs: by Anthony Hortin – 1.0.8
WooCommerce PDF Invoices & Packing Slips: by WP Overnight – 2.14.0
WOOF - WooCommerce Products Filter: by realmag777 – 1.2.6.4
WooCommerce: by Automattic – 6.3.1
Yoast SEO Premium: by Team Yoast – 18.1
Yoast SEO: by Team Yoast – 18.3
WP Crontrol: by John Blackbourn & contributors – 1.12.0
WP Force Lowercase URLs: by Josh Buchea – 2.0.1
WP Mail SMTP: by WPForms – 3.3.0
WP-Optimize - Clean, Compress, Cache: by David Anderson
Ruhani Rabin
Team Updraft – 3.2.3

WP Rollback: by Impress.org – 1.7.1
WP Timeline: by ExThemes – 3.5.6
Redirection for Contact Form 7: by Qube One – 2.6.0
WP Engine Advanced Cache Options: by Ethan Kennedy
Steven Word – 1.3.3

XML Sitemap & Google News: by RavanH – 5.3.3
Auto Image Attributes From Filename With Bulk Updater: by Arun Basil Lal – 3.0
Sendy WPCF7: by Ryan Snowden – 1.0
Wordfence Security: by Wordfence – 7.5.8
Blog2Social: Social Media Auto Post & Scheduler: by Blog2Social
Adenion – 6.9.2

WPBakery Page Builder: by Michael M - WPBakery.com – 6.8.0
Pofo Addons: by Themezaa Team – 1.4.1
Ultimate Addons for WPBakery Page Builder: by Brainstorm Force – 3.19.11
WPBakery Page Builder Clipboard: by bitorbit – 5.0.2
Ninja Tables: by WPManageNinja LLC – 4.1.12
Ninja Tables Pro: by WPManageNinja – 4.1.6
GDPR Cookie Consent: by WebToffee – 2.0.9
Yoast SEO: by Team Yoast – 18.3
Yoast SEO Premium: by Team Yoast – 18.1

### Inactive Plugins (10) ###

Better Font Awesome: by Mickey Kay – 2.0.1
Partners Leads: by Craig R Morton – 0.2
Team Bio: by Sebastian Simpson – 1.0
Prevent XSS Vulnerability: by Sami Ahmed Siddiqui – 2.0.0
Slider Revolution: by ThemePunch – 6.2.23
Smush: by WPMU DEV – 3.9.5
WooCommerce Admin: by WooCommerce – 3.2.1
WooCommerce Shipping & Tax: by WooCommerce – 1.25.23
WOOCS - WooCommerce Currency Switcher: by realmag777 – 1.3.7.5
WP All Export: by Soflyy – 1.3.3

### Dropin Plugins (2) ###

advanced-cache.php: advanced-cache.php
object-cache.php: Memcached Redux

### Must Use Plugins (6) ###

Force Strong Passwords - WPE Edition: by Jason Cosper – 1.8.0
WPE ElasticPress Autosuggest Logger: by WP Engine – 1.0.0
WP Engine Cache Plugin: by WP Engine – 1.0.8
WP Engine Seamless Login Plugin: by WP Engine – 1.5.5
WP Engine Security Auditor: by wpengine – 1.0.10
WP Engine System: by WP Engine – 5.0.1

### Settings ###

API Enabled: ?
Force SSL: –
Currency: USD ($)
Currency Position: left
Thousand Separator: ,
Decimal Separator: .
Number of Decimals: 2
Taxonomies: Product Types: external (external)
grouped (grouped)
simple (simple)
variable (variable)

Taxonomies: Product Visibility: exclude-from-catalog (exclude-from-catalog)
exclude-from-search (exclude-from-search)
featured (featured)
outofstock (outofstock)
rated-1 (rated-1)
rated-2 (rated-2)
rated-3 (rated-3)
rated-4 (rated-4)
rated-5 (rated-5)

Connected to WooCommerce.com: –

### WC Pages ###

Shop base: #58216 - /shop/
Basket: #58218 - /cart/
Checkout: #58220 - /checkout/
My account: #58222 - /my-account/
Terms and conditions: ? Page ID is set
but the page does not exist

### Theme ###

Name: Pofo Child
Version: 1.02
Author URL: http:%20//www.themezaa.com
Child Theme: ?
Parent Theme Name: Pofo
Parent Theme Version: 1.4.1
Parent Theme Author URL: https://www.themezaa.com/
WooCommerce Support: ?

### Templates ###

Overrides: pofo/woocommerce/archive-product.php
pofo/woocommerce/global/breadcrumb.php
pofo/woocommerce/loop/pagination.php
pofo/woocommerce/single-product.php

### Action Scheduler ###

Complete: 158
Oldest: 2022-02-14 01:18:02 +0000
Newest: 2022-03-16 01:39:07 +0000

Failed: 1
Oldest: 2020-04-17 08:26:04 +0000
Newest: 2020-04-17 08:26:04 +0000

### Status report information ###

Generated at: 2022-03-16 09:46:48 +08:00

Juan G. (woo-hc)

(@judagutor)

2 years, 8 months ago

Thank you for sending the System Status.

In it, I cannot find a plugin related to PayPal. Could you please confirm if you are using a service or plugin to accept PayPal payments? In case you are, could you specify which one?

Thanks!

Thread Starter

barold01

(@barold01)

2 years, 8 months ago

Hi Juan

It was my understanding that Woocommerce natively supports PayPal, is this not the case?

I don’t think we’ve installed anything aside from the main Woocommerce plugin in order to integrate PayPal, as per screenshot below.

View post on imgur.com

Thanks
Seb

Igor H

(@ihereira)

2 years, 8 months ago

Hello,

It was my understanding that Woocommerce natively supports PayPal, is this not the case?

Yes it is supported, please check:
* https://woocommerce.com/document/paypal-standard
* https://developer.woocommerce.com/2021/07/12/developer-advisory-paypal-standard-will-be-hidden-on-new-installs/

It is safe. To learn more about the security releases with WooCommerce and PayPal Standard, please check:
https://developer.woocommerce.com/2022/03/10/woocommerce-3-5-10-6-3-1-security-releases/

I hope this provides clarity.

Thread Starter

barold01

(@barold01)

2 years, 8 months ago

Hi Igor

Thanks for the feedback. I’m clear on the distinction between PayPal Standard and the newer “Woocommerce PayPal Payments” plugin now. We’re still on the older PayPal Standard integration. Not super keen to migrate to the newer plugin after looking at reviews!!!?

We have reproduced this vulnerability and can provide a set of screenshots or a video of the issue.

Is there somewhere we can provide this information to the team (not a public forum)? Either an email or a bug reporting tool?

Thanks

Mirko P.

(@rainfallnixfig)

2 years, 8 months ago

Hi @barold01,

There was a recent security fix related to the PayPal Standard payment gateway with important security improvements. You can read more here:

https://developer.woocommerce.com/2022/03/10/woocommerce-3-5-10-6-3-1-security-releases/

I recommend that you update all your plugins and theme, and also update your WC database to match the latest core version (6.3.1). Be sure to have a full backup in place before making changes to your site.

Once you’ve done that, if you’re still able to reproduce the issue with PayPal Standard in an environment with only WordPress, WooCommerce and the default Storefront theme enabled I suggest that you share your findings in Github which is where developers go to look at bugs reports.

https://github.com/woocommerce/woocommerce/issues/new/choose

Best regards.

Mirko P.

(@rainfallnixfig)

2 years, 7 months ago

Hi there,

We’ve not heard back from you in a while so I’ll go ahead and mark this thread as resolved. Hopefully, you were able to find a solution to this issue.

If you have further questions, please feel free to open a new topic.

Thanks.

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘Potential vulnerability in PayPal payment’ is closed to new replies.