The user can change the price of items in the html, (F12) on the paypal button in the page 'checkout' and he can change the value 'amount' to '0'. After the paypal API took that value... and charge the wrong price...
I think it's a big problem if nobody take care to double check the bills.
The Simple WordPress Paypal Shopping Cart Plugin looks good, functions well and is easy to use. You would think that the developers of so many plugins would create this to be safe and secure. It is not.
Last week, I discovered a major flaw in the use of the Simple WordPress Paypal Shopping Cart Plugin that allows a customer to change the price that is charged by PayPal. The transaction completes and if you don't know the price of all of your products, you might never catch it. I caught this error because it allowed a purchase process for FREE.
You may be asking yourself why this issue is not showing up in the support forum. It was. I had reported the issue in great detail. The post was removed. Let me explain why.
This is just a quick email to let you know I've deleted the thread you posted:
The WordPress.org plugins team is going to follow up with the author to explain the detail and get them to fix the plugin.
The main reason I've deleted it (which can be undone later on if need be) is we'd like to work with the developer to get the plugin (and any others affected) fixed to project the users of the plugin, without spreading the vulnerability to more sites.
Thanks for bringing to light the issue.
The plugins team can be contacted directly at firstname.lastname@example.org, if you run into any similar security/major vulnerabilities in plugins in the future and can't contact the author directly, please feel free to reach out to them. They'll gladly get plugin authors to fix it :)
WordPress Lead Developer
OK, I get that you would not necessarily want to broadcast a major vulnerability about a broken plugin, showing the public how easy it is to cheat the more than 50,000 users selling products. If I were to experience this again, I have learned from the above email to report it to the Plugins Team and let them handle this.
I disagree with completely removing the issue from the forum. I understand removing the steps that show how it is done, but I feel the users of this plugin have a right to know and need to be aware of such a vulnerability.
What concerns me is the attitude that one of the developers took when this was reported. We got into an argument about this being a true concern.
This is a simple plugin for people with very simple needs. Most people use it to sell a service or some physical products. Being able to change values using (REMOVED) or something similar is a common thing that you can do to all carts. What you are looking for is something that has advanced validation checks that is performed after a payment to detect this kind of changes. That is beyond the scope of this very simple plguin. Search for something that is a little more heavy-weight solution and hopefully you will get what you are looking for.
PS. I have been selling online for a long time... your genuine customers are just going to pay you the money. If someone wants to scam you, he will mostly use stolen card or account to do the transaction so that is really where you main concern will be.
Unfortunately, WordPress does not send you an email when you reply to a posting or I would have included it here. After receiving the above response, I blasted back, pointing out that the developers must have known about this since they used a more secure shopping cart for purchases on their own website.
It has been more than a week since this took place and I see that the issue has not been corrected. The plugin has not been updated. (Version 4.0.9 - Last Updated: 2015-6-4)
The developers do have a solution, but they want you to buy it.
There are other "more heavy-weight" free plugins out there that use the "advanced validation checks". I recommend you use one.
Not works "Add to Cart" button Boutique theme from elegantthemes.com.
i can't give one star ...
I installed. Went to activate - then it redirects me to my website. I can't delete it, I can't activate it. I am so not happy right now. I don't have any other ecommerce plugins.
We have just tried to add wp-ecommerce plugin and now cannot even log into /wp-admin
This is what I see instead.
Fatal error: Cannot redeclare wpsc_add_meta_boxes() (previously declared in /home/saramorr/public_html/wp-content/plugins/wordpress-simple-paypal-shopping-cart/wp_shopping_cart_orders.php:37) in /home/saramorr/public_html/wp-content/plugins/wp-e-commerce/wpsc-admin/admin.php on line 1256
Deactivated all other plugins but still - no AAAAARRRRGGGGGHHHH
You must log in to submit a review. You can also log in or register using the form near the top of this page.