Security flaw?
-
Hi there,
Friend of mine has been using this plugin for a while, but recently noticed an incorrect amount come via PayPal.
I just had a look at the site and noticed that the plugin is using a form that passes through all of the details, without any encryption, thus making the details easily accessible via a browser’s DevTools.
Not only can someone see the email address that is linked to the PayPal account, one can adjust the amount to whatever they like, and then click on the PayPal button.This is the form used:
<form target="" action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_xclick"> <input type="hidden" name="business" value="UserPayPalAccount@example.com"> <input type="hidden" name="item_name" value="Name of item"> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="amount" value="70"> <input type="hidden" name="lc" value="EN_US"> <input type="hidden" name="no_note" value=""> <input type="hidden" name="paymentaction" value="sale"> <input type="hidden" name="return" value="URL of return / thank-you page"> <input type="hidden" name="bn" value="WPPlugin_SP"> <input type="hidden" name="cancel_return" value="URL of cancel return page"> <input style="border: none;" class="paypalbuttonimage" type="image" src="https://www.paypalobjects.com/webstatic/en_US/i/buttons/buy-logo-medium.png" border="0" name="submit" alt="Make your payments with PayPal. It is free, secure, effective."><img alt="" border="0" style="border:none;display:none;" src="https://www.paypal.com/EN_US/i/scr/pixel.gif" width="1" height="1"> </form>
Is this a setup issue or plugin issue?
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
- The topic ‘Security flaw?’ is closed to new replies.