A security hole has been discovered in the Worldpay module for Zen Cart, ZenCart have removed this plug-in from their download area until it can be fixed.

It is possible for someone to order goods without paying. If you're using this module, I suggest you either disable it, or manually check every transaction on the Worldpay site until a fix is released.

For more info, see http://www.zen-cart.com/forum/showthread.php?t=39106&page=40

that would be the post model worldpay select still allows. Only a security hole if you fail to validate productid x quantity x price in your backend script