Address Fields Pre-populated on Checkout with Another Customer’s Address

Symptoms

When a new shopper proceeds to the checkout page, the billing address and shipping address fields will already be populated with an address that appears to be for another customer.

Impacts

Shopp Version: 1.2 – 1.2.1

Summary

This problem is not a general security issue, although it is a bug potentially affecting Shopp 1.2 and 1.2.1 sites, with very limited security ramifications.

The problem occurs when a new Shopp customer record is created from the Shopp store/account profile for an existing WordPress user that does NOT already have a Shopp customer record. When this save takes place, the new billing and shipping address is not properly associated with the new customer record, causing orphaned address records associated with non-existent customer record 0.

Note: This will never occur with a new customer account created from a successful purchase through the store’s checkout. It can only occur by creating a WordPress user and manually creating a new customer record from the Shopp account profile page.

Solution

Steps to fix the root cause:

In shopp/core/model/Customer.php, the following line should be added after line 333 in the profile() method:

$Updated->customer = $this->id;

This makes the whole if{} block read:

if (isset($_POST[$type]) && !empty($_POST[$type])) {
    $Updated = new $class($this->id,'customer');
    $Updated->customer = $this->id;
    $Updated->updates($_POST[$type]);
    $Updated->save();
    ShoppOrder()->$Address = $Updated;
}

This will ensure that a new address record will be properly associated with a new customer record.

Steps to fix the symptoms:

In shopp/core/model/Address.php, add the following line to the beginning of the __construct() constructor methods of both the ShippingAddress and BillingAddress classes:

if ( ! $id ) return;

This will prevent an invalid/orphaned address record from being loaded by mistake on the checkout page for an anonymous shopper.

Clean Up

Registering a new customer for an existing WordPress user in Shopp 1.2 and 1.2.1 will result in one or more entries in your wp_shopp_address table with a customer id of 0 (invalid address not associated with a customer record).

Run the following query from your MySQL database client to clean up the bad records (substitute your shopp address table in the query if applicable):

DELETE FROM wp_shopp_address WHERE customer=0;

Bug Ticket

#1717

See Also

Address Fields Pre-populated on Checkout with Another Customer’s Address
  • 0.00 / 5 5

You must be logged in to post a comment.

© Ingenesis Limited. Shopp™ is a registered trademark of Ingenesis Limited.

Skip to toolbar