I am here to share an exploit which has affected some. I am sitting on a bunch more.
None of the current markets are good. I wonder when we'll get our hands on some competent developers?
It's very simple to pull off; at the vendors PoV save the URL to cancel the order (right click on the button, copy link address). Note it down in a notepad document. When you have marked it shipped, and the money is in your account. Paste the link in the URL. The PHP script activated does no checks about whether or not it's marked shipped, and will simply flip the flag in the database.
This is a PSA; please do not abuse this vendors. And to buyers. Don't buy non-escrow products right now from vendors you don't normally buy at.
[removed]