07 Jun

Vulnerability Details: Order Duplication Vulnerability in WC Duplicate Order

From time to time vulnerabilities are fixed in plugin without someone putting out a report on the vulnerability and we will put out a post detailing the vulnerability. While putting out the details of the vulnerability increases the chances of it being exploited, it also can help to identify vulnerabilities that haven’t been fully fixed (in some cases not fixed at all) and help to identify additional vulnerabilities in ...


To read the rest of this post you need to have an active account with our service.

For existing customers, please log in to your account to view the rest of the post.

If you are not currently a customer, when you sign up now you can try the service for half off (there are a lot of other reason that you will want to sign up beyond access to posts like this one).

If you are a security researcher please contact us to get free access to all of our Vulnerability Details posts.

2 thoughts on “Vulnerability Details: Order Duplication Vulnerability in WC Duplicate Order

  1. Can you confirm if that affects v1.2? This is the last one working with WooCommerce v2.x.

    I’ve been unable to reproduce your proof of concept but i might be missing something here.

    I visited /wp-admin/edit.php?post_type=shop_order&order_id=XXXXX&duplicate=init (so no _wpnonce on the URL) and was redirected to the admin login page.

    • To be viewing the proof of concept you would need to be a customer of the service, so you can see all the impacted versions on the page for the service in WordPress.

      The reason the what you did didn’t work is that you are taking a step not in the proof of concept, which is causing it to not work. Since you are a customer the best thing would be to contact us, we can explain the issue with what you are doing in trying to test this and also discuss with you what the options are to deal with the vulnerability in the situation you are in.

Leave a Reply

Your email address will not be published. Required fields are marked *