Multi Vendor Marketplace Plugin | WCFM Marketplace › Forums › WCFM – Marketplace (WooCommerce Multivendor Marketplace) › Bug with HUGE security risk
- November 14, 2019 at 1:10 am #92202lewisParticipant
I found a bug that is very problematic in terms of security and confidentiality.
Basically, I discovered that a simple vendor can see all posts, no matter what his permissions are at the role level.
I discovered that a seller with no administrator rights can see the content of all posts, even those in draft, even those in the trash, even those private, EVEN those protected by a password!!!
To do so, the admin creates a notice.
Then, the seller will be able to see the notice by clicking on a link which will look like this:
The “1002” refers to a post id. If the seller changes this number to any other number, he will see the title and content of the post having this id.
For example, admin changed the first post ever that was initially like “welcome to wordpress” and added sensitive data to other site administrators and add the password-protected post option.
The seller, if he go to mydomain.com/admin/wcfm-notice-view/1 will see the title and the content, without even having to add a password.
Please look into it.
Im here to help and test anything else if you need to 🙂
-Lewis, WCFM lover
- November 14, 2019 at 2:32 am #92212sdel_nevoParticipant
I can confirm this works for me too !!!
logged in as a vendor, went to
where 104002 is the id of a product posted by another vendor and the details are visible!! to this vendor
- November 14, 2019 at 7:14 am #92233lewisParticipant
(+ the topic date seems to be broken, i get the current date and time instead of date and time of when the notice was created)
- November 22, 2019 at 11:00 am #93393WCFM ForumKeymaster
We will definitely take care of this in coming update!
- The topic ‘Bug with HUGE security risk’ is closed to new replies.