Booster for WooCommerce – Subscriber+ Order Status Update

Description

The plugins allow users to update their own order status via a settings defined by admins when the My Account module is enabled, however does not ensure that the status set is allowed. As a result, users could set arbitrary status to their own orders, making them paid without actually paying for them even though admins did not allow such status to be set.

Proof of Concept

Requirements:
- Enable the "My Account" module of the plugin (/wp-admin/admin.php?page=wc-settings&tab=jetpack&wcj-cat=dashboard&section=all_module)
- Add a status such as Canceled in the "Add Order Status Actions" settings of the module (/wp-admin/admin.php?page=wc-settings&tab=jetpack&wcj-cat=emails_and_misc&section=my_account)


As any logged in user, such as a subscriber, place an order and go the Order dashboard, a 'Canceled' action will be displayed in the Actions column, copy its link and change the status=canceled to status=processing, e.g: https://example.com/?wcj_action=wcj_woocommerce_mark_order_status&status=processing&order_id=337&_wpnonce=f3f6e8839d