Back to blog
e-commercevulnerabilitiesWooCommerce

E-commerce: why 70% of online stores are vulnerable to privilege escalation

Published on 2026-02-286 min readCleanIssue

> TL;DR: Price manipulation, cross-customer order access, stock bypass — common e-commerce flaws.

French e-commerce underestimates the risk

Flaw 1: Client-side price manipulation

If the price is sent from frontend to payment API, users can modify the amount.

Flaw 2: Cross-customer order access

Sequential order IDs = enumerate and view all customers' orders.

Flaw 3: Stock bypass

Negative quantities, simultaneous requests, stock manipulation via API.

Flaw 4: Weak customer authentication

Predictable password reset, no 2FA, non-expiring sessions.

Flaw 5: Vulnerable WooCommerce plugins

Plugins adding unauthenticated REST endpoints. We regularly find public CSV export endpoints.

Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Written by CleanIssue
    Reviewed on 2026-02-28

    Editorial analysis based on official vendor, project, and regulator documentation.

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit