Description The plugin does not validate orders ownership which could allow unauthenticated attacker to delete orders by knowing the order ID and cart hash (i.e. they would have to create a cart that matches the items in the order they are trying to delete). Furthermore, only stores running on legacy UPE and split-UPE version are affected by this.
CPE | Name | Operator | Version |
---|---|---|---|
eq | 6.7.0 |