Expected Findings
- Plan upgrade is gated on the client-supplied `paid` query parameter.
- No Stripe session ID is checked before granting the plan.
- User ID is taken from the URL, allowing upgrades for arbitrary accounts.
Checkout Success
Stripe Paid-Param Trust
The post-checkout page activates the paid plan based on URL query parameters instead of verifying the session against Stripe.
Self-grant
Primary Flows
- Self upgrade GET grants plan
- Plan ledger Shows synthetic upgrades
Signals
Code
if req.URL.Query().Get("paid") == "true" { grant(plan, user) }