Since version v2.3.0 of Pick Number Mod addon we have introduced instant win feature as per requests from our clients. After that introduction we also received some inquires where clients ask of possible flaw where users who have pending order can see ticket number. Fact is that user indeed can see ticket number but cannot know until order is in processing or completed status that those numbers are instant win numbers unless you published that information.
We have also setting in WooCommerce Settings > Lottery tab called “Hide ticket numbers until order has been paid” (this setting is useful for lotteries that have instant win numbers, for example when you use randomly assign number and publish instant win tickets on your single lottery page – setting is enabled by default) which is useful if you use randomly assigned number option and you publish info about instant win numbers in frontend.
If someone is getting too much instant wins it could mean that they used exploit for dated WordPress version you use or for some plugin / theme. This means user can get administrator access to wp-admin and it means your security is breached. You need to get someone from your hosting support to check and clean your site, update everything to latest versions and install security software and use application firewall (easiest way to do that is via CloudFlare web app firewall.
In our opinion malicious requests should be filtered out prior reaching WordPress (CloudFlare firewall, mod_security, etc). Most trivial thing you can do is to implement password protection for /wp-admin/ directory.
We have introduced encryption for ticket numbers in database so they are not in plain text format but anyone who can access your wp-admin as administrator user can access those data.