Corrigir issue do wordfence

[GuilhermeFriedrichS]

This plugin allows an unauthenticated attacker to create unlimited partial payments (up to the order’s total amount) by providing only a user ID and an order ID. Because both user IDs and order IDs are sequential integers, they can be easily enumerated, making it trivial to add partial payments to other users’ orders. It’s even easier to target the attacker’s own orders, since they can readily obtain their own user ID and order ID. In addition, an attacker could automate this process to perform mass partial-payment injections through ID enumeration.

Its also allows an unauthenticated attacker to cancel any partial payment by using ID only. As the partial payment ID is generated by WooCommerce system, an unauthenticated attacker can do ID enumeration and cancel mass amount of partial payment.

Steps to Reproduce
Make sure you have WooCommerce and a test order which is not in paid/processing/completed status. Note down the order ID and user id for that order.
Install and activate the Link Invoice Payment for WooCommerce plugin. Just keep the plugin active, nothing else.
Run the following cURL command from your terminal
curl -s -X POST "http://localhost/wordpress/wp-json/invoice_payments/create_partial_payment"
-H "Content-Type: application/json"
-d '{"orderId": 134, "userId": 2, "partialAmount": 50}'
Here, replace http://localhost/wordpress with your WP URL.
Replace 134 with your test order ID and 2 with the order’s user ID. The partialAmount value must be less than the order subtotal. For example, if the total is 100, you can submit any amount below 100. If you want to record multiple partial payments, you can submit partialAmount=50 and then partialAmount=50 again—just make sure the combined partial payments do not exceed the order total.
4. Now to got Admin Panel > WooCommerce > Orders and you will see status Pagamento parcial which means Partial Payments. View the order details by clicking it and you will see Pagamentos Parciais section have new partial payment entry.
5. You will see that the partial payment got its own sequential ID. This plugin also allow to cancel any partial payment if you know the id. As the id is sequential you can easily cancel any partial payment with the following cURL command :

curl -s -X POST "http://localhost/wordpress/wp-json/invoice_payments/cancel_partial_payment"
-H "Content-Type: application/json"
-d '{"partialOrderId": 136}'
Here replace http://localhost/wordpress with your WP URL and replace 136 with the ID you get from the partial payment. Its not WooCommerce order id, its partial payment id which use the WooCommerce default ID assignment system. So an attacker can simply enumerate with IDs and cancel any existing partial payment with out any authentication or authorization.