I have installed OSCmax 2.5.2 and testing my site. I found a possible security issue. Please clarify the below situation.
1) Customer logs into 'my account'
2) Adds an item into cart
3) Presses 'Checkout' tab (One page checkout not enabled)
4) Site takes the customer through checkout_shipping.php and then checkout_payment.php
This is where I found the security issue.
After step (4), if I manually type the URL "www.storename.com/checkout_success.php", the order gets completed!!! Even before the customer makes the payment....
In one instance, I noticed that order_process email is also sent to the customer.
But in some other instances, no email was sent to the customer, but "Your order has been successfully processed" message appears to the customer.
Please clarify ....
P.S: I tested this behavious with oscmax store also (That sells the admin manual. There also, I could see similar issue)