W3 Total Cache
[resolved] [closed] Security Issue: PRO upgrade asks for credit card details via HTTP (4 posts)

  1. Anthony Somerset
    Posted 2 years ago #

    i was being nosy and looking over the pro upgrade option to find out pricing (appears the only way to see right now is to click the upgrade button)

    little bit troubled and alarmed that the form for upgrade asking for credit card details is pulled via HTTP and posts back via HTTP - if i understand PCI compliance correctly when it comes to accepting credit card information, is that it MUST be transmitted over HTTPS

    in fact in chrome it wont load the form in the iframe because my admin section is loading over HTTPS and it blocks it as an unsafe script

    for technical info, the upgrade button pulls up a lightbox with an iframe with URL http://www.w3-edge.com/?w3tc_buy_pro_plugin, which simply adds the item to there cart and redirects to http://www.w3-edge.com/checkout/?edd_pre_action=empty_cart&edd_action=add_to_cart&download_id=1792

    which contains the form, the form has a post back to itself again still over HTTP only

    i tried to load both of those URL's over HTTPS and neither work (timeout) likely because HTTPS is not even configured on that site

    I'd warn all users to exercise caution over inputting credit card details on that form until the developer makes it HTTPS, which can likely be done without even needing to release an update to the plugin itself


  2. esmi
    Forum Moderator
    Posted 2 years ago #

    These forums do not support commercial products. Only the free plugins downloaded from http://wordpress.org/plugins/. Please contact the plugin's vendor directly with any questions about commercial products.

  3. Anthony Somerset
    Posted 2 years ago #

    i already did, privately a couple weeks ago, no reply at the time, except an acknowledgement via twitter

    this was more to warn users of the issue as there is no other public support forum for W3TC presently

    i'll also add that this code is present from the plugin downloaded direct from w.org and not elsewhere

  4. Anthony Somerset
    Posted 2 years ago #

    Developer resolved the issue by enabling HTTPS and redirecting the page to HTTPS

    theres still the more minor issue that initial load of the iframe is still blocked in chrome as an unsecure script so a plugin update is needed to change the iframe url from http to https - to allow for users that have https enabled for admin

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • W3 Total Cache
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic