I am writing to report a potential security vulnerability that was uncovered in your platform. Specifically, we discovered that your product purchase functionality can still be accessed via API even after the product has been disabled and is no longer available for sale.
1 An admin creates a product.
2 A user orders the product and hijacks the request using Burp Suite.
3 The admin disables the product.
4 The user sends the request and receives a successful response, unaware that the admin has disabled the product.