As a new user of s2Member I noticed that it is simple enough to a below average intelligent person to alter the currency and amount to pay for subscriptions using s2Member…
Without having to tell everyone… is it possible to prevent customers from having the option to pay whatever they want for their subsciption ?
/PeO
If you know of a way to alter the subscription details when registering, I suggest you open a GitHub issue which will be more likely to catch the attentions of the developers. If that’s possible, it is a serious bug.
It’s too easy… Do you really want this report public ?
@peo Please send an email to us privately. Send to security@wpsharks.com
Tip: If the security issue that you’ve discovered is related to the ability to alter PayPal Button HTML markup, this is a known security issue in PayPal Buttons, it’s not specific to s2Member. To prevent others from altering button markup, enable Button Encryption. See: Dashboard → s2Member → PayPal Options → PayPal Account Details for the option to enable encryption.
No, I should have clarified my reply. I only meant that you would probably get dev attention sooner on GitHub. I went ahead and contacted Jason about your thread.
That’s the problem I’m referring to, but what if I’m not sure I have the correct PayPal API password and signature, and the owner of the accound does not know how to obtain these ? There are some old settings for s2Member which might be correct (and as always, easily viewable for anyone getting into wp-admin and using “view source”, but if they’re not - will this break the membership purchases for the site ?
You could talk him through it over Skype/Zoom or send him instructions.
If they are invalid, they probably will. If, by some chance, they are valid but not for the site owner’s account (maybe he got the site from someone else, for instance) then his money will go to someone else.
It is a very bad idea to proceed without making sure you have the right PayPal settings.