I have a test user renter and a test landlord setup.
I’m using Checking Payment Processing for test purposes.
I noticed today, if you type in “/cart” to view the Cart, you can manually change the price of the Order by decreasing the quantity, but still lock in the dates. The admin of the site approves the payment as completed at the lower amount, the commission is based upon the lower amount, but the Booking remains reserved for the original number of nights.
This is a pretty serious vulnerability in my opinion.
Temporarily, I think a quick solution I could implement would be setting up a redirect I suppose to ensure the cart page can’t be accessed; however, that could cause problems if a site is using a combination of bookings and physical products.