Title: Security issue Last modified: February 1, 2024 --- # Security issue * Resolved [Arashtad](https://wordpress.org/support/users/arashtad/) * (@arashtad) * [2 years, 2 months ago](https://wordpress.org/support/topic/security-issue-159/) * When user’s logged in and tries to view a license that doesn’t exist, an error is generated that is not handled by the plugin. For example is there’s no license with ID 123 and the user calls: [https://example.com/my-account/view-license-keys/123/](https://example.com/my-account/view-license-keys/123/) * The plugin doesn’t handle the error properly and depending on the theme error handling logic, sensitive information about server directory structure, database, and tokens can be revealed. The issue is cause by /wp-content/plugins/license- manager-for-woocommerce/includes/Integrations/WooCommerce/MyAccount.php at line 238 in viewLicenseKeys() and can be solved by a simple if statement like: * ```wp-block-code if($license != null) { $decrypted = $license->getDecryptedLicenseKey(); if ( is_wp_error( $decrypted ) ) { echo sprintf( '

%s

', $decrypted->get_error_message() ); return; } echo wc_get_template_html( 'myaccount/single.php', array( 'license' => $license, 'license_key' => $license->getDecryptedLicenseKey(), 'product' => ! empty( $license->getProductId() ) ? wc_get_product( $license->getProductId() ) : null, 'order' => ! empty( $license->getOrderId() ) ? wc_get_order( $license->getOrderId() ) : null, 'date_format' => get_option( 'date_format' ), ), '', LMFWC_TEMPLATES_DIR ); } else { echo 'Invalid license key'; } ``` * Please proceed as it can be misused and put websites in danger easily. - This topic was modified 2 years, 2 months ago by [Arashtad](https://wordpress.org/support/users/arashtad/). * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsecurity-issue-159%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 9 replies - 1 through 9 (of 9 total) * Plugin Support [Mirza Hamza](https://wordpress.org/support/users/hamza1010/) * (@hamza1010) * [2 years, 2 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17389632) * Hello [@arashtad](https://wordpress.org/support/users/arashtad/), * Thanks for contacting us, * Hope you are doing well, We’ve informed our technical team about your issue, and they will work on it promptly. When we receive their response, we will get back to you. Our team is here to assist you. * Thanks & Regards WP Experts Support Team * Plugin Support [Mirza Hamza](https://wordpress.org/support/users/hamza1010/) * (@hamza1010) * [2 years, 2 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17390482) * Hello [@arashtad](https://wordpress.org/support/users/arashtad/), * Thanks for reaching us, * Hope you are doing well, We have added the code and will fix it in the next release. Please use the updated plugin on your site and let me know if you still have any issues. * Here is the updated plugin: [Download Plugin](https://drive.google.com/file/d/1JqiysjiRrF_K4XaXya4kTJ6UEATF0iSS/view?usp=sharing). * Thanks & Regards WP Experts Support Team * Thread Starter [Arashtad](https://wordpress.org/support/users/arashtad/) * (@arashtad) * [2 years, 2 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17390612) * Thank you for the prompt action and great support. I checked the code and found the modification exactly as expected. We’ve had a lot of customization done on this powerful plugin using the methods provided in your documentation, template override, etc. But, this one was an already defined function and there was no standard way to modify it unless you do it. Because, our changes would be erased by each update and I’m not a fan of copying and locking others’ plugins; and you did it way quicker and cleaner than what I was expecting.Thank you and your technical team. - This reply was modified 2 years, 2 months ago by [Arashtad](https://wordpress.org/support/users/arashtad/). * Plugin Support [Mirza Hamza](https://wordpress.org/support/users/hamza1010/) * (@hamza1010) * [2 years, 2 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17392809) * Thanks for the feedback. * [wpsupacc](https://wordpress.org/support/users/wpsupacc/) * (@wpsupacc) * [2 years, 2 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17392991) * When is this update going to be pushed to all users ? * Plugin Support [Mirza Hamza](https://wordpress.org/support/users/hamza1010/) * (@hamza1010) * [2 years, 2 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17393324) * Hello [@wpsupacc](https://wordpress.org/support/users/wpsupacc/), * We will add this in an upcoming release. * Thank you * Thread Starter [Arashtad](https://wordpress.org/support/users/arashtad/) * (@arashtad) * [1 year, 11 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17748605) * The bug is back. * Your update after my message solved the problem. But, it seems in the newer versions it’s forgotten to be implemented. It would be great if you add this fix to the main branch of your development version to make sure the future updates are equipped with it. * Just add: if($license != null) * to /wp-content/plugins/license-manager-for-woocommerce/includes/Integrations/ WooCommerce/MyAccount.php at line 238 like: * ```wp-block-code if($license != null) { $decrypted = $license->getDecryptedLicenseKey(); if ( is_wp_error( $decrypted ) ) { echo sprintf( '

%s

', $decrypted->get_error_message() ); return; } echo wc_get_template_html( 'myaccount/single.php', array( 'license' => $license, 'license_key' => $license->getDecryptedLicenseKey(), 'product' => ! empty( $license->getProductId() ) ? wc_get_product( $license->getProductId() ) : null, 'order' => ! empty( $license->getOrderId() ) ? wc_get_order( $license->getOrderId() ) : null, 'date_format' => get_option( 'date_format' ), ), '', LMFWC_TEMPLATES_DIR ); } else { echo sprintf( '

%s

', __( 'Not found', 'license-manager-for-woocommerce' ) ); echo sprintf( '

%s

', __( 'The license you are looking for is not found.', 'license-manager-for-woocommerce' ) ); } ``` * And that’s it! Thank you * Plugin Support [Mirza Hamza](https://wordpress.org/support/users/hamza1010/) * (@hamza1010) * [1 year, 10 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17751751) * Hello [@arashtad](https://wordpress.org/support/users/arashtad/), * Sorry for the inconvenience, We will discuss this internally and then update you. * Thank you * Plugin Support [Mirza Hamza](https://wordpress.org/support/users/hamza1010/) * (@hamza1010) * [1 year, 10 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17759588) * Hello [@arashtad](https://wordpress.org/support/users/arashtad/), * We would like to inform you that we are releasing a build with the fixes so kindly wait for it we have added code to stop invalid license key. * Thank you Viewing 9 replies - 1 through 9 (of 9 total) The topic ‘Security issue’ is closed to new replies. * ![](https://ps.w.org/license-manager-for-woocommerce/assets/icon-256x256.gif? rev=2824216) * [License Manager for WooCommerce](https://wordpress.org/plugins/license-manager-for-woocommerce/) * [Frequently Asked Questions](https://wordpress.org/plugins/license-manager-for-woocommerce/#faq) * [Support Threads](https://wordpress.org/support/plugin/license-manager-for-woocommerce/) * [Active Topics](https://wordpress.org/support/plugin/license-manager-for-woocommerce/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/license-manager-for-woocommerce/unresolved/) * [Reviews](https://wordpress.org/support/plugin/license-manager-for-woocommerce/reviews/) * 9 replies * 3 participants * Last reply from: [Mirza Hamza](https://wordpress.org/support/users/hamza1010/) * Last activity: [1 year, 10 months ago](https://wordpress.org/support/topic/security-issue-159/#post-17759588) * Status: resolved