There is a security hole in Rest API for coupon

  • Resolved actsoneceo

    (@actsoneceo)


    7 years, 4 months ago

    Hello.

    From long time ago, some people tried, they registered irregular coupon to our woocommerce website by remotely (maybe they will use rest api)

    And then, they continue to receive illegal discounts.

    All coupon name include prefix with sumo (sumo_meoducsaigon, sumo_lnt.nhung0911, sumo_tran,…)
    It was relate with sumo reward point plugin? (our website using it)

    Rest api should be need more security protect for users.

    Please help us.

Viewing 2 replies - 1 through 2 (of 2 total)
  • madeincosmos

    (@madeincosmos)

    Automattic Happiness Engineer

    Hi @actsoneceo,

    WooCommerce API only allows changing things remotely on your site to the users who know the API key and secret. This information is only available in WP Admin, so the customers shouldn’t have access to this.

    We’re not the authors for the Sumo Coupons plugin, so I’m not 100% sure of how it works, but I found on the product page here that it has an option to generate a coupon for a comment or daily login:

    https://fantasticplugins.com/sumo-coupons/

    I’d recommend to review all plugin settings and make sure the coupons are only generated when you want it. The plugin authors will be able to help you with this:

    https://fantasticplugins.com/support/

    Cheers!

    madeincosmos

    (@madeincosmos)

    Automattic Happiness Engineer

    Hi @actsoneceo,

    We haven’t heard back from you in a while, so I’ll mark this thread as resolved now. If you have some more questions, feel free to start a new one.

    Cheers!

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘There is a security hole in Rest API for coupon’ is closed to new replies.