Setting shop's price as ITEM type (tested with PriceType AND) and placing data from said specific item taken from /bs read or manually inputting data can make players still purchase the Shop Item as long as the type of the item is there.
To put it simply, as long as the Player has any item that matches the type of item declared in the Price section, they can purchase the item regardless.
The Exploit, Simulated
Below is a simulation of how the Player can use the exploit.
The Player first opens the shop and sees the item. The Player has said Vault money of 2500 Coins. However, he does not have the "Special Cobblestone" item which can only be bought from the fictional "ProMCTeam Shop". He has, however, ten pieces of normal cobblestone he got from mining.
Expected Result:
As soon as he clicks the item to try and buy it, he receives the message telling him he does not have the item the Shop is asking for.
Actual Result:
As soon as he clicks the item to try and buy it, both his money and the cobblestone he mined (which did NOT have the special attributes, name, lore, and flags of the said item) gets taken as valid payment and the Reward is issued. The player has completely bypassed the explicit requirement of the Item declared in the shop.
This is dangerous. So far, the only fix I've done (or can do) is closing all server shops until further notice.
I am not sure if this is a widespread issue or if my use-case is common, but I cannot employ any other fix as it is inherent to the plugin. I made use of the plugin's features and have read the docs to deploy it on my server. Unfortunately, this (what I would consider at least) major exploit has left everything in a standstill.
I believe this is an issue the devs should consider to look into soon.
Minecraft Version:
1.19.3
Server:paper-1.19.3-375.jar
BossShopPro jar/version:bossshoppro-2.1.0-20221231.231026-19.jar
Setting shop's price as ITEM type (tested with PriceType AND) and placing data from said specific item taken from
/bs read
or manually inputting data can make players still purchase the Shop Item as long as the type of the item is there.To put it simply, as long as the Player has any item that matches the type of item declared in the Price section, they can purchase the item regardless.
The Exploit, Simulated
Below is a simulation of how the Player can use the exploit.
The Player first opens the shop and sees the item. The Player has said Vault money of 2500 Coins. However, he does not have the "Special Cobblestone" item which can only be bought from the fictional "ProMCTeam Shop". He has, however, ten pieces of normal cobblestone he got from mining.
Expected Result:
As soon as he clicks the item to try and buy it, he receives the message telling him he does not have the item the Shop is asking for.
Actual Result:
As soon as he clicks the item to try and buy it, both his money and the cobblestone he mined (which did NOT have the special attributes, name, lore, and flags of the said item) gets taken as valid payment and the Reward is issued. The player has completely bypassed the explicit requirement of the Item declared in the shop.
This is dangerous. So far, the only fix I've done (or can do) is closing all server shops until further notice.
I am not sure if this is a widespread issue or if my use-case is common, but I cannot employ any other fix as it is inherent to the plugin. I made use of the plugin's features and have read the docs to deploy it on my server. Unfortunately, this (what I would consider at least) major exploit has left everything in a standstill.
I believe this is an issue the devs should consider to look into soon.