Bug with HUGE security risk

We're shifting our Forum based support to a more dedicated support system!

We'll be closing our Forum support from 10th June, 2020 and move to Email Support assistance.

  • If you are a WCFM premium add-ons user, contact us- here
  • Want to know more before buying our add-ons? Send Pre sale queries- here
  • If you are a WCFM free user, please open a support ticket at WordPress.org
  • For WCFM App related queries, reach us- here
From now the forum will be read-only!

Multi Vendor Marketplace Plugin | WCFM Marketplace Forums WCFM – Marketplace (WooCommerce Multivendor Marketplace) Bug with HUGE security risk

Tagged: , , , , , , , , ,

Viewing 3 reply threads
  • Author
    Posts
    • November 14, 2019 at 1:10 am #92202
      lewis
      Participant

      Hi team,
      I found a bug that is very problematic in terms of security and confidentiality.
      Basically, I discovered that a simple vendor can see all posts, no matter what his permissions are at the role level.
      I discovered that a seller with no administrator rights can see the content of all posts, even those in draft, even those in the trash, even those private, EVEN those protected by a password!!!

      To do so, the admin creates a notice.
      Then, the seller will be able to see the notice by clicking on a link which will look like this:
      mydomain.com/admin/wcfm-notice-view/1002
      The “1002” refers to a post id. If the seller changes this number to any other number, he will see the title and content of the post having this id.
      For example, admin changed the first post ever that was initially like “welcome to wordpress” and added sensitive data to other site administrators and add the password-protected post option.
      The seller, if he go to mydomain.com/admin/wcfm-notice-view/1 will see the title and the content, without even having to add a password.

      Please look into it.

      Im here to help and test anything else if you need to 🙂

      -Lewis, WCFM lover

    • November 14, 2019 at 2:32 am #92212
      sdel_nevo
      Participant

      HI

      I can confirm this works for me too !!!

      logged in as a vendor, went to

      /store-manager/notice-view/104002/

      where 104002 is the id of a product posted by another vendor and the details are visible!! to this vendor

      Steve

    • November 14, 2019 at 7:14 am #92233
      lewis
      Participant

      (+ the topic date seems to be broken, i get the current date and time instead of date and time of when the notice was created)

    • November 22, 2019 at 11:00 am #93393
      WCFM Forum
      Member

      We will definitely take care of this in coming update!

  • Author
    Posts
Viewing 3 reply threads
  • The topic ‘Bug with HUGE security risk’ is closed to new replies.