We had a customer (if you want to call him that) who placed 7 orders all within seconds of each other. The products he ordered were all items marked at $0 and are a contact us form rather than the add to cart CTA. That being said, there is no way for them to add this product to the cart and checkout. They also found a random code we use to offer free shipping so all 7 orders totaled $0. This all happened within one minute which makes me believe it was some sort of bot.
I was able to set the product to draft so he was unable to make another purchase but then he just moved on to the next product listed at $0 with a contact us.
My question, how was he able to add this item to the cart when it was strictly a contact us button that took you to an email rather than checkout? How was he able to find products strictly set to $0 so fast? Has this happened to anyone?
One can use cart api to add products to cart, no need to use your product page form(s).
One can also see the actual product price by fetching /products/XXX.js or /products/XXX.json files or use search and filter API to find zero price products.
You need to ensure that products you do not want to sell are set as unsellable in backend.
