During my holiday, I started testing on a private program. The first thing I did was browse my target and try to discover the site’s features. After some time of browsing the target, I went to the payment page and started testing the payment functionality.<\/strong><\/p>\n\n\n\n There are 3 payment plans, as shown below in the image.<\/strong> <\/p>\n\n\n\n Now we understand the 3 types of plans, let’s go to the exploitation.<\/p>\n\n\n\n After that, I switched back to the Annual Plan, Pay upfront plan and Fill all fields and clicked on next.<\/p>\n\n\n\n Then I added the Coupon_id parameter to the URL. I noticed that we can apply 30% off on this plan. By default, this plan allows only 20% off, but using this way I was able to apply 30% off, leading to more significant loss for the company.<\/p>\n\n\n\n Note: When I tried to use the Coupon_id parameter on an unauthorized plan, this didn\u2019t work. But many times I noticed that we can use it on an unauthorized plan if we enter payment details and click on next , then append the Coupon_id to the URL. Otherwise, the PoC doesn\u2019t work.<\/p>\n\n\n\n This is the response from the customer. Unfortunately This reward is one of many rewards that I was not able to receive, due to my payment profile and my Bugcrowd account being blocked because of unintentionally breaking the payment policy.<\/p>\n\n\n\n Thank you, brothers. I hope this was useful for you.<\/strong> \ud83d\udc4d<\/p>\n\n\n\n
<\/p>\n\n\n\n![\"\"](\"https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/Screenshot-from-2026-03-26-21-39-35.png\")
<\/figure>\n\n\n\n\n
<\/li>\n\n\n\n\n
![\"\"](\"https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/Screenshot-from-2026-03-26-21-43-54.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/03\/Screenshot-from-2026-03-26-21-48-21.png\")
<\/figure>\n\n\n\n
<\/p>\n\n\n\n![\"\"](\"https:\/\/stories.secone4all.com\/wp-content\/uploads\/2026\/04\/1767898545436-473x1024.jpeg\")
<\/figure>\n\n\n\n