Context Navigation

Changeset 3460483

Timestamp:

02/13/2026 04:24:35 AM (7 weeks ago)

Author:

webimpian

Message:

Patch vulnerability

Location:

bayarcash-wc/trunk

Files:

r3460478	r3460483
13	13	* Plugin Name: Bayarcash WC
14	14	* Plugin URI: https://bayarcash.com/
15		* Version: 4.3.13
	15	* Version: 4.3.14
16	16	* Description: Accept payment from Malaysia. Bayarcash support FPX, Direct Debit, DuitNow OBW & DuitNow QR payment channels.
17	17	* Author: Web Impian

-                      r3460478
+                      r3460483
+        }
+        $payment_method = $order->get_payment_method();
+        $payment_data = $this->get_payment_settings($payment_method);
+        $settings = $payment_data['settings'];
+        if (empty($settings)) {
+            $this->log('Invalid payment method for pre-transaction verification.', $order);
+            return;
+        }
+        $this->initialize_bayarcash_sdk($settings);
+        if (!$this->verify_transaction_callback($response_data, $settings, $order)) {
+            $this->log('Pre-transaction checksum verification failed.', $order);
+            return;
+        }
         $transaction_exchange_no = $response_data['transaction_id'];
         $exchange_reference_number = $response_data['exchange_reference_number'];
 …
+        }
-        $order->update_status('pending');
         $this->store_post_meta_transaction_exchange_no($order_no, $transaction_exchange_no);
         $this->log("Order status set to 'pending' and Transaction Exchange No. stored in wp_post meta.", $order);
+        $this->log("Transaction Exchange No. stored in wp_post meta.", $order);
+    }

-                      r3460478
+                      r3460483
 == Changelog ==
+= 4.3.14 =
+* Security: Removed unauthorized order status change in pre-transaction callback
 = 4.3.13 =
 * Security: Added nonce verification to admin AJAX settings handler

Note: See TracChangeset for help on using the changeset viewer.