If you use WP eCommerce, you’ll want to update as soon as possible to fix a security vulnerability discovered by Sucuri. According to the announcement, the vulnerability could be used by a malicious user to easily get access and modify private information on a site. Any website using WP eCommerce 3.8.14.3 or lower is at risk.
A malicious attacker could use the exploit to export user names, addresses, and other private information. It also allows an attacker to modify orders e.g. non-paid to paid. The vulnerability is similar to the one suffered by MailPoet earlier this year.
The plugin developers assumed that the WordPress’s admin_init hook was only called when the administrator was logged in and visited a page inside /wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) also executes this hook without requiring the user to be authenticated.
Sucuri discovered the exploit during a routine audit of its firewall service. After being disclosed to WP eCommerce earlier this week, the development team quickly patched the exploit and released an update. Sucuri states details of the vulnerability will not be published until users have had time to update their sites.
We’re super grateful to Sucuri for responsibly disclosing this vulnerability. They’re a great gift to the WordPress community, and the open source ecosystem at large.