Users can easily create duplicate subscriptions


Well-known member
Affected version
Here’s an example with PayPal:
  1. Alice subscribed to an upgrade with monthly payments.
  2. For whatever reason, Alice’s bank declines the payment the following month.
  3. XenForo downgrades Alice when payment lapses, as it should.
  4. Alice notices that she no longer has an active upgrade and goes to the upgrade page to investigate.
  5. XenForo offers to let her purchase the upgrade again. This is a bug. Alice takes this to mean that the existing subscription has been canceled. XenForo doesn’t provide any option to view or cancel the existing subscription.
  6. Alice subscribes a second time.
  7. PayPal keeps the existing subscription active on their end and may attempt a second charge, which Alice’s bank may approve.
  8. Alice is never notified or given an explanation as to what happened, aside from a duplicate receipt. Unless Alice notices and contacts the forum admins, she’ll continue getting charged twice.
This affects other payment providers, as well. Depending on the provider, it may be impossible for Alice to view or cancel the duplicate subscription on her own.

This is an increasingly common issue now that India’s banking regulations have gotten stricter. Banks there have a tendency to decline automated payments on a regular basis. As soon as the user manually re-subscribes, the bank starts paying again, only to repeat the same issue a month or two later. What could’ve once been considered a rare edge case is now a common occurrence.
Top Bottom