Attack vector for hacking/ill-intented orders


I just stumbled upon two empty orders without any content, no address, nothing…

The attacker used direct Ajax calls like ?wc-ajax=ppc-create-order / ?wc-ajax=ppc-approve-order to create and confirm orders directly.

As a result, orders were created and confirmed, reducing stock.

I wonder how this is possible in the first place and how I can harden the system against attacks like this,




This site will teach you how to build a WordPress website for beginners. We will cover everything from installing WordPress to adding pages, posts, and images to your site. You will learn how to customize your site with themes and plugins, as well as how to market your site online.

Buy WordPress Transfer