Some one posted a listing for $22 dollars.

I added to cart,  Copied the link of bank transfer. And then changed the price in link.  And then I bought via bank transfer.

His price was $22 and I changed to $12.  Admin does not know about it.


https://plugins2.abprofitrade.eu/payments/transfer/12.99/user%2C430%7Citemid%2C430%7Cemail%2Chs_safi%40yahoo.com%7Cname%2CHasib+Khan%7Camount%2C26.99%7Cconcept%2CPay+2+cart+items+for+USD12.99%7Cproduct%2C901x1x430/Pay+2+cart+items+for+USD12.99

Even if you click above link,  other person can also buy me this without login.

Wow, nice catch!

Maybe a good way to solve it would be to Base64 encode/decode the value in the URL, so the user doesn't see the actual amount (12.99), but a string like MTIuOTk=

You still can decode such string.
If someone does that, there is no point to have such user on site, as it will be user trying to cheat you.
We should review why it is possible to use it for unlogged user

Issue has been fixed in v3.4.8

Added few new hooks and filters to itempay page.
Secured transfer pay functions that does not allow to change parameters transferred in URL, nor create transfer on behalf of different user.

Functions and technique created could be simply used on other payment methods in future.
For each payment, checksum is created using crypt key and when payment is being processed, new checksum using same key is created and both checksum compared