Over the weekend, the WP eCommerce team released version 3.11.4 of its e-commerce plugin. The update patches an SQL injection vulnerability that was responsibly disclosed by Mika Epstein, a member of the WordPress.org plugin review team.
According to Justin Sainton, lead developer of WP eCommerce, the team was notified of the vulnerability on November 11th and patched within an hour. The update was available on WordPress.org the following day.
“This vulnerability only affects users who use eWay as their payment gateway, have Gold Cart activated, and are using the as-of-yet-unreleased Theme Engine 2.0,” Sainton said.
“We believe the number of users affected is likely close to zero, due to these conditions.”
Users are highly encouraged to update as soon as possible. Created in 2006, WP eCommerce is one of the oldest plugins in the directory and is actively installed on more than 40K sites.