plugin development – Is there a filter to check the user supplied customer_id field against the logged in user?
WordPress Development Stack Exchange is a question and answer site for WordPress developers and administrators. It only takes a minute to sign up.
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
When submitting orders via the API, WooCommerce doesn’t check that the customer_id field is, in fact, the currently logged in user. This can be exploited to brute force the database, or spam the system with false orders. Is there a way to hook into this functionality and check the case manually?
Also, is there a guide to hardening the WooCommerce api? Many of these routes need to be blocked and I am wondering if there is a comprehensive guide to doing so.