i was being nosy and looking over the pro upgrade option to find out pricing (appears the only way to see right now is to click the upgrade button)
little bit troubled and alarmed that the form for upgrade asking for credit card details is pulled via HTTP and posts back via HTTP – if i understand PCI compliance correctly when it comes to accepting credit card information, is that it MUST be transmitted over HTTPS
in fact in chrome it wont load the form in the iframe because my admin section is loading over HTTPS and it blocks it as an unsafe script
for technical info, the upgrade button pulls up a lightbox with an iframe with URL http://www.w3-edge.com/?w3tc_buy_pro_plugin, which simply adds the item to there cart and redirects to http://www.w3-edge.com/checkout/?edd_pre_action=empty_cart&edd_action=add_to_cart&download_id=1792
which contains the form, the form has a post back to itself again still over HTTP only
i tried to load both of those URL’s over HTTPS and neither work (timeout) likely because HTTPS is not even configured on that site
I’d warn all users to exercise caution over inputting credit card details on that form until the developer makes it HTTPS, which can likely be done without even needing to release an update to the plugin itself
- The topic ‘Security Issue: PRO upgrade asks for credit card details via HTTP’ is closed to new replies.