Users can see other users orders (sometimes)

  • Resolved 4kitcat

    (@4kitcat)


    7 years, 5 months ago

    We’ve had a few reports of users seeing past / other users’ orders on their my account page. The first instance about 2 weeks ago, the guy had the same first name and seemed to have chosen a similar username as if he’d somehow overridden the other user. I was able to mimic this flaw to gain access to another user’s past orders. i.e. if the [email protected] was the same as another user, it granted me access to that _____ matching user name. It did not however grant the new user the “role” as the old user, just view of past orders. The 2nd and 3rd instance from customers, there was no connection we can find between the user and the orders they can view of a past user.

    What could be causing this?

    ### WordPress Environment ###

    WC Version: 3.1.2
    Log Directory Writable: ?
    WP Version: 4.8.2
    WP Multisite: –
    WP Memory Limit: 512 MB
    WP Debug Mode: –
    WP Cron: ?
    Language: en_US

    ### Server Environment ###

    Server Info: Apache
    PHP Version: 5.6.31-4+wpengine10
    PHP Post Max Size: 100 MB
    PHP Time Limit: 3600
    PHP Max Input Vars: 1000
    cURL Version: 7.35.0
    OpenSSL/1.0.1f

    SUHOSIN Installed: –
    MySQL Version: 5.6.37
    Max Upload Size: 50 MB
    Default Timezone is UTC: ?
    fsockopen/cURL: ?
    SoapClient: ?
    DOMDocument: ?
    GZip: ?
    Multibyte String: ?
    Remote Post: ?
    Remote Get: ?

    ### Database ###

    WC Database Version: 3.1.2
    WC Database Prefix: wp_
    woocommerce_sessions: ?
    woocommerce_api_keys: ?
    woocommerce_attribute_taxonomies: ?
    woocommerce_downloadable_product_permissions: ?
    woocommerce_order_items: ?
    woocommerce_order_itemmeta: ?
    woocommerce_tax_rates: ?
    woocommerce_tax_rate_locations: ?
    woocommerce_shipping_zones: ?
    woocommerce_shipping_zone_locations: ?
    woocommerce_shipping_zone_methods: ?
    woocommerce_payment_tokens: ?
    woocommerce_payment_tokenmeta: ?
    MaxMind GeoIP Database: ?

    ### Active Plugins (33) ###

    Redux Framework: by Team Redux – 3.6.5
    2048: by Envigeek Web Services – 0.3.1
    LayerSlider WP: by Kreatura Media – 5.4.0
    Admin Branding: by Gabriel Nordeborn – 1.1.2
    Advanced Custom Fields: by Elliot Condon – 4.4.11
    Advanced Sidebar Menu: by Mat Lipe – 6.3.0
    Basic Google Maps Placemarks: by Ian Dunn – 1.10.7
    CommerceGurus Toolkit: by CommerceGurus – 1.2.8
    Contact Form 7: by Takayuki Miyoshi – 4.9
    Disable Comments: by Samir Shah – 1.7
    Easy2Map WordPress Plugin: by Steven Ellis – 1.5.5
    Export Users to CSV: by Ulrich Sossou – 1.0.0
    Import users from CSV with meta: by codection – 1.10.6.9
    WPBakery Visual Composer: by Michael M – WPBakery.com – 4.5.3
    Responsive Image Maps: by Philip Newcomer – 1.4
    Slider Revolution: by ThemePunch – 5.2.5.4
    Simple Custom CSS: by John Regan
    Danny Van Kooten – 3.3

    Slide Puzzle: by [email protected] – 1.0.0
    SSL Insecure Content Fixer: by WebAware – 2.4.0
    Store Locator Plus: by Store Locator Plus – 4.8.3
    Visual Products Configurator: by ORION – 3.2.1
    WooCommerce Wholesale Ordering: by Stephen Sherrard – 3.1.3
    WooCommerce Advanced Free Shipping: by Jeroen Sormani – 1.1.2
    WooCommerce PayPal Express Checkout Gateway: by WooCommerce – 1.4.3
    WooCommerce PayPal Pro (Classic and PayFlow Editions) Gateway: by WooCommerce – 4.4.8
    WooCommerce Quantity Increment: by Automattic
    WooThemes – 1.1.0

    WooCommerce Role Based Methods: by WPBackOffice – 2.0.7 – 2.2.0 is available
    WooCommerce FedEx Shipping: by WooThemes – 3.3.3 – 3.4.9 is available
    WooCommerce USPS Shipping: by WooThemes – 4.2.12 – 4.4.10 is available
    WooCommerce: by Automattic – 3.1.2
    WooSidebars: by WooThemes – 1.4.3
    Yoast SEO: by Team Yoast – 5.3.2
    YITH WooCommerce Ajax Search: by YITHEMES – 1.5.3

    ### Settings ###

    API Enabled: ?
    Force SSL: ?
    Currency: USD ($)
    Currency Position: left
    Thousand Separator: ,
    Decimal Separator: .
    Number of Decimals: 2
    Taxonomies: Product Types: external (external)
    grouped (grouped)
    simple (simple)
    variable (variable)

    Taxonomies: Product Visibility: exclude-from-catalog (exclude-from-catalog)
    exclude-from-search (exclude-from-search)
    featured (featured)
    outofstock (outofstock)
    rated-1 (rated-1)
    rated-2 (rated-2)
    rated-3 (rated-3)
    rated-4 (rated-4)
    rated-5 (rated-5)

    ### WC Pages ###

    Shop base: #66191 – /shop/
    Cart: #66439 – /cart/
    Checkout: #66440 – /checkout/
    My account: #10 – /my-account/

    ### Theme ###

    Name: Boulder
    Version: 1.2
    Author URL: https://www.commercegurus.com
    Child Theme: ? – If you are modifying WooCommerce on a parent theme that you did not build personally we recommend using a child theme. See: How to create a child theme
    WooCommerce Support: ?

    ### Templates ###

    Overrides: boulder/woocommerce/archive-product.php
    boulder/woocommerce/cart/cart.php version 2.3.8 is out of date. The core version is 3.1.0
    boulder/woocommerce/checkout/form-checkout.php
    boulder/woocommerce/checkout/review-order.php
    boulder/woocommerce/checkout/thankyou.php version 2.2.0 is out of date. The core version is 3.0.0
    boulder/woocommerce/content-product.php version 1.6.4 is out of date. The core version is 3.0.0
    boulder/woocommerce/content-product_cat.php version 1.6.4 is out of date. The core version is 2.6.1
    boulder/woocommerce/content-single-product.php version 1.6.4 is out of date. The core version is 3.0.0
    boulder/woocommerce/emails/customer-completed-order.php version 2.4.0 is out of date. The core version is 2.5.0
    boulder/woocommerce/emails/customer-processing-order.php version 2.4.0 is out of date. The core version is 2.5.0
    boulder/woocommerce/global/wrapper-end.php
    boulder/woocommerce/global/wrapper-start.php
    boulder/woocommerce/loop/loop-end.php
    boulder/woocommerce/loop/loop-start.php
    boulder/woocommerce/loop/orderby.php
    boulder/woocommerce/loop/pagination.php
    boulder/woocommerce/loop/result-count.php version 2.0.0 is out of date. The core version is 3.0.0
    boulder/woocommerce/loop/sale-flash.php
    boulder/woocommerce/single-product/meta.php version 1.6.4 is out of date. The core version is 3.0.0
    boulder/woocommerce/single-product/price.php version 1.6.4 is out of date. The core version is 3.0.0
    boulder/woocommerce/single-product/product-image.php version 2.0.14 is out of date. The core version is 3.1.0
    boulder/woocommerce/single-product/product-thumbnails.php version 2.3.0 is out of date. The core version is 3.1.0
    boulder/woocommerce/single-product/related.php version 1.6.4 is out of date. The core version is 3.0.0
    boulder/woocommerce/single-product/sale-flash.php
    boulder/woocommerce/single-product/share.php
    boulder/woocommerce/single-product/tabs/tabs.php version 2.0.0 is out of date. The core version is 2.4.0
    boulder/woocommerce/single-product/up-sells.php version 1.6.4 is out of date. The core version is 3.0.0
    boulder/woocommerce/single-product-reviews.php
    boulder/woocommerce/single-product.php

    Outdated Templates: ?Learn how to update
    `

Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Users can see other users orders (sometimes)’ is closed to new replies.