Malicious users took away my limited item by injecting a script into the experience while the prompt itself hasn’t even been set up yet:
Item link: Tercyduk - Roblox
Expected behavior
Items should not be able to be taken when prompt is inactive/not set up yet by the developer
A private message is associated with this bug report
Thank you for the report. We have assigned this to our team for further investigation.
Do you perhaps have an admin system in your experience? There is unfortunately a known vulnerability with one of the popular admin systems which has a “!buy-item” command which prompts purchases on the server of any asset the requester wishes.
