Fraudulent customer is able to order tickets which are not meant to be ordered anymore.
Resource ID 1532 has been unpublished, archived and is crossed-out red in the archive.
I know there are ways to make orders check for the published state. I have just not been able to find any documentation on how/what. This is why I am asking here if anyone can point me in the right direction.
The resource itself is not reachable, or able to be seen by anyone (not even admins). But the ID is used for placing orders by copying a real order URL and replacing the ID with this one.
Due to the fact this is an open security issue, I cannot publicly share this link.
This link allows you to order resource 1532, which should no longer be able to be ordered (free return tickets for certain transport services).
Able to order non-existing/active product as long as PID(this can be changed as soon as you go to page 2 when your contact info is already known to the website, or directly once your known in the cache) is known to customer even though they should not be able to.
The actual resource itself is not reachable, but still able to be ordered with ID.
It should no longer be reachable/being open to being ordered.
MODX 2.6.5, Apache 2.4.51, Browser unknown but I know for a fact I can reproduce with Chrome, MariaDB 10.5.11
Thank you in advance for your time and effort.