This was the first plugin I unsolicited wrote a patch for. The bug was bad news. That why it caught my attention. But, I was too late.
This e-commerce plugin had a handy feature, users could create account upon checkout. Most shopping carts do this, it is a convenient feature I know I have used in the past on many e-commerce websites. The thing is… with thecartpress, you can choose your role.
When new users are created during the checkout process of thecartpress you will input all of the expected fields. Name, password, email, etc.. One hidden field though, determines the new user’s role. If you change this value to “administrator” and submit the form, congratulations you now have an administrator user account.
Writing the patch, I went the direct route. Do not accept user inputs to determine the new accounts role. There is a default role all new users will be added as, so that should be good enough.
I could have gone with creating an allow list as well. This would require creating a user manageable list of acceptable role names, but I did not want to deal with the front end since default role accounts is good enough and saves me some development time.
You can read more about this patch and the details on the Last Patch for thecartpress.