• Author
  Posts
• 

  515hosting 11 months, 2 weeks ago

  I have a test user renter and a test landlord setup.
  I’m using Checking Payment Processing for test purposes.

  I noticed today, if you type in “/cart” to view the Cart, you can manually change the price of the Order by decreasing the quantity, but still lock in the dates. The admin of the site approves the payment as completed at the lower amount, the commission is based upon the lower amount, but the Booking remains reserved for the original number of nights.

  This is a pretty serious vulnerability in my opinion.

  Temporarily, I think a quick solution I could implement would be setting up a redirect I suppose to ensure the cart page can’t be accessed; however, that could cause problems if a site is using a combination of bookings and physical products.

  Please advice.

  

  ihor 11 months, 2 weeks ago developer

  Thanks for reporting this issue – will be fixed in the next Bookings update. Please consider using a redirect as a temporary fix, we’ll probably resolve this in the same way, but with an extra check that the cart currently contains a product with linked booking.

  

  515hosting 11 months, 2 weeks ago

  Appreciate it. I’m not using physical products or have any need for the cart, so I’ll just do a 302 redirect and call it good until the final fix is released.

  Thanks for the prompt response.

• Author
  Posts

New Reply

This forum has been archived and is no longer accepting new posts or replies. Please join our new community forum for support & discussion.