E-commerce: why 70% of online stores are vulnerable to privilege escalation
> TL;DR: Price manipulation, cross-customer order access, stock bypass — common e-commerce flaws.
French e-commerce underestimates the risk
Flaw 1: Client-side price manipulation
If the price is sent from frontend to payment API, users can modify the amount.
Flaw 2: Cross-customer order access
Sequential order IDs = enumerate and view all customers' orders.
Flaw 3: Stock bypass
Negative quantities, simultaneous requests, stock manipulation via API.
Flaw 4: Weak customer authentication
Predictable password reset, no 2FA, non-expiring sessions.
Flaw 5: Vulnerable WooCommerce plugins
Plugins adding unauthenticated REST endpoints. We regularly find public CSV export endpoints.
Key Takeaways
Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Stripe: 5 configuration errors that allow paywall bypass
Your Stripe keys are in the frontend. Your payment sessions are manipulable. Here are 5 errors we find.
The 10 flaws we found most in 2025-2026
Ranked list of most frequent vulnerabilities across our audits. Missing RLS at #1, unauthenticated webhooks at #2, exposed API keys at #3.
WordPress REST API: 7 dangerous endpoints enabled by default
Your WordPress exposes sensitive data via REST API without you knowing. Here are 7 endpoints to check now.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.