Security Assessment for a European Online Retailer
How I found and helped fix critical vulnerabilities in an online shop built on WooCommerce, including payment flow issues and customer data exposure.
The Challenge
A European online retailer selling specialty electronics reached out after noticing suspicious activity in their server logs. They were running a heavily customized WooCommerce store with around 12,000 registered customers, processing roughly 800 orders per month through Stripe and PayPal.
The shop had been built over 3 years by different freelancers, with several custom plugins for inventory sync, customer loyalty points, and a B2B wholesale portal. Nobody had ever done a proper security review. The owner wanted to know how exposed they actually were.
My Approach
Phase 1: Scope & Reconnaissance
I started by mapping out what was actually running:
- The main storefront (WooCommerce on WordPress 6.x)
- A wholesale login area with separate pricing tiers
- REST API endpoints exposed by WooCommerce and 4 custom plugins
- An admin area with 3 staff accounts and 1 developer account
- Stripe and PayPal payment integrations
- A staging subdomain that was still publicly accessible
The tech stack: PHP 8.1, MySQL 8, Nginx, Redis for caching, Cloudflare in front.
Phase 2: Testing
I worked through the OWASP Top 10 with a focus on the areas that matter most for e-commerce:
- Authentication: Login and registration flows, password reset, session handling, the wholesale portal login
- Payment flow: Order manipulation, price tampering, coupon abuse, cart race conditions
- Customer data: Account enumeration, IDOR on order history and invoices, data leakage in API responses
- Input handling: SQL injection and XSS across product search, reviews, contact forms, and API parameters
- Access control: Privilege escalation between customer, wholesale, and admin roles
- Server configuration: Security headers, TLS setup, exposed files, directory listing, debug information
Phase 3: Validation
Every finding was manually verified. No automated scanner dumps. Each issue got:
- A CVSS v3.1 severity rating
- Step-by-step reproduction instructions
- Proof-of-concept with screenshots and HTTP request/response logs
Key Findings
| Severity | Count | Examples |
|---|---|---|
| Critical | 1 | IDOR vulnerability allowing any logged-in customer to view other customers’ order details and invoices by changing the order ID in the URL |
| High | 3 | Stored XSS in product reviews (rendered unescaped in admin dashboard); staging site with production database credentials in wp-config.php; wholesale price tier accessible by manipulating a cookie value |
| Medium | 5 | Missing rate limiting on login and password reset; verbose PHP error messages on certain API endpoints; outdated plugins with known CVEs; missing security headers (CSP, X-Frame-Options); session not invalidated after password change |
| Low | 4 | User enumeration via login error messages; autocomplete on payment forms; directory listing on uploads folder; WordPress version exposed in HTML source |
The Outcome
I delivered a 32-page report covering:
- Every finding with severity, reproduction steps, and recommended fix
- Priority order based on risk and how easy each fix was to implement
- Plugin-specific guidance for the custom code issues
- A hardening checklist for WordPress/WooCommerce best practices
The critical IDOR and the exposed staging site were fixed within 48 hours. The remaining high-severity issues were resolved over the following 2 weeks. I ran a verification check after remediation to confirm everything was properly addressed.
“I honestly didn’t expect that many issues. The report was clear enough that my developer could fix most things without back-and-forth.” Store owner (paraphrased, anonymized)
Technologies & Standards
OWASP Top 10 CVSS v3.1 WordPress WooCommerce PHP MySQL Nginx Burp Suite TLS/SSL Stripe PayPal
Ready to Get Started?
Have a similar challenge? Let's discuss how I can help.