Address Fields Pre-populated on Checkout with Another Customer’s Address


When a new shopper proceeds to the checkout page, the billing address and shipping address fields will already be populated with an address that appears to be for another customer.


Shopp Version: 1.2 – 1.2.1


This problem is not a general security issue, although it is a bug potentially affecting Shopp 1.2 and 1.2.1 sites, with very limited security ramifications.

The problem occurs when a new Shopp customer record is created from the Shopp store/account profile for an existing WordPress user that does NOT already have a Shopp customer record. When this save takes place, the new billing and shipping address is not properly associated with the new customer record, causing orphaned address records associated with non-existent customer record 0.

Note: This will never occur with a new customer account created from a successful purchase through the store’s checkout. It can only occur by creating a WordPress user and manually creating a new customer record from the Shopp account profile page.


Steps to fix the root cause:

In shopp/core/model/Customer.php, the following line should be added after line 333 in the profile() method:

$Updated->customer = $this->id;

This makes the whole if{} block read:

if (isset($_POST[$type]) && !empty($_POST[$type])) {
    $Updated = new $class($this->id,'customer');
    $Updated->customer = $this->id;
    ShoppOrder()->$Address = $Updated;

This will ensure that a new address record will be properly associated with a new customer record.

Steps to fix the symptoms:

In shopp/core/model/Address.php, add the following line to the beginning of the __construct() constructor methods of both the ShippingAddress and BillingAddress classes:

if ( ! $id ) return;

This will prevent an invalid/orphaned address record from being loaded by mistake on the checkout page for an anonymous shopper.

Clean Up

Registering a new customer for an existing WordPress user in Shopp 1.2 and 1.2.1 will result in one or more entries in your wp_shopp_address table with a customer id of 0 (invalid address not associated with a customer record).

Run the following query from your MySQL database client to clean up the bad records (substitute your shopp address table in the query if applicable):

DELETE FROM wp_shopp_address WHERE customer=0;

Bug Ticket


See Also

Address Fields Pre-populated on Checkout with Another Customer’s Address
  • 0.00 / 5 5

You must be logged in to post a comment.

© Ingenesis Limited. Shopp™ is a registered trademark of Ingenesis Limited.