Implemented in 1.9.10.
I’m wondering if that same type of code should be added to the remove link in the shopping cart. It is ?variable=sometihng style in the URL instead of POST, but I don’t think that changes anything.
Thanx for this. Removing is not vulnerable. It was theoreticly possible to buy anything for a modified price. This is approx 100 times more difficult now. So, i am confident with how it is now, and will proceed publishing what we achieved on the wppa+ site. I will drop a link when its ready. Thanx for your support!
Good point. I wrote SCABN wanting to not let people alter the pricing of items, but what I did was have SCABN get the pricing from a db query and ignore the user-supplied price. This works fine, but isn’t enabled by default as the user needs to provide a function to look up pricing (see notes in templates/default.php). Using none is much better as it works out of the box. Thanks.
Actually, it is still very easy to buy at a modified price. (I just did it). If you just open up the page in developer tools (right click, inspect element in Chrome) and find the add-to-cart submit form, you can edit the price=”XX” line to whatever you want. The nonce stuff stops (makes harder) cross-site scripting running code as admin from sniffed packets, etc, but it only validates that the content came from the right user / right source recently.
If you setup price lookups, this is prevented because the price=XX value gets overwritten by the price lookup. But my default this is disabled as the user has to write some kind of price lookup table / db query.
I think the only solution is to do some encryption / decryption of at least the price field if not just sign the entire ‘add-to-cart’ submit form. I’ll look if WP has any hooks for this.
