Security Vulnerability Discovered and Patched in WP eCommerce

WP eCommerce Featured Image

If you use WP eCommerce, you’ll want to update as soon as possible to fix a security vulnerability discovered by Sucuri. According to the announcement, the vulnerability could be used by a malicious user to easily get access and modify private information on a site. Any website using WP eCommerce 3.8.14.3 or lower is at risk.

A malicious attacker could use the exploit to export user names, addresses, and other private information. It also allows an attacker to modify orders e.g. non-paid to paid. The vulnerability is similar to the one suffered by MailPoet earlier this year.

The plugin developers assumed that the WordPress’s admin_init hook was only called when the administrator was logged in and visited a page inside /wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) also executes this hook without requiring the user to be authenticated.

Sucuri discovered the exploit during a routine audit of its firewall service. After being disclosed to WP eCommerce earlier this week, the development team quickly patched the exploit and released an update. Sucuri states details of the vulnerability will not be published until users have had time to update their sites.

3 Comments


  1. We’re super grateful to Sucuri for responsibly disclosing this vulnerability. They’re a great gift to the WordPress community, and the open source ecosystem at large.

    Report


  2. I really couldn’t do without Securi.. We run a small mmorpg server and wordpress website, we get “hack” attempts 24/7 by teens just for giggles I guess. It’s been tiring trying to make sure our site and woocommerce is secure.. Although they haven’t been successful yet, Securi really does help us a lot.. And WP Ban plugin..

    Report


  3. Well at least they didn’t do a “drupal” and didn’t diclose the problem without giving people time.

    Report

Comments are closed.