[Sohcahtoa82]

To be blunt, that guy sounds like a dick.

This should have been a great learning opportunity, instead he took it as a personal attack.

I'm doubting his claim of 10 years experience. Someone with that much experience writing any sort of web code should know what a cross-site scripting vulnerability is, what can be done with it, and how to make sure it doesn't happen.

I've never used Fiverr before, but does it allow you to rate them? I'd drop a 1-star and comment that he reacted aggressively when you told him about a security vulnerability found in his code.

[SecurityNoob]

It’s too late for me. Basically I had this coded a month ago and as soon as it worked, I 5-starred and I was far too quick to say thank you (and tip him).

From this guys response, I’m thinking that I need someone to evaluate all of the code - I don’t have faith in and don’t understand it all.

Maybe Fiverr isn’t the best place for WooCommerce work after all!

[CommitSyn]

Now's a great time to learn how to read basic PHP and how to modify code to sanitize input. It's low-hanging knowledge that won't take much time. You're not going to prevent the OWASP top30, but you can stop SQLi and XSS and maybe get more into webappsec.

Input going into DB: https://wordpress.stackexchange.com/questions/114344/how-to-...

Input being displayed from DB: https://developer.wordpress.org/reference/functions/sanitize...

But also, steal his cookie. Allow the student to become the teacher and see if he takes it as a humble learning experience.