WP eCommerce is a widely used free e-commerce plugin with more than 2,900,000 downloads. If you are using this WordPress plugin, its time to update it right away.
During a routine audit of its firewall service, security experts of Sucuri found a dangerous vulnerability in the WordPress plugin “WP eCommerce” which allows malicious users to gain administrative access and modify personal information of users.
This vulnerability of WP eCommerce allows malicious users to export all usernames and other confidential information of clients who have made purchases through this plugin since installation. Malicious users are also allowed to change the status of their order (from non-paid to paid and vice versa). To mitigate this vulnerability, WP eCommerce developers have released a patched version 3.8.14.4.
What are the risks involved?
Any WordPress based website running WP eCommerce version 3.8.14.3 (or lower) are at risk. An attacker can easily perform administrative tasks without actually being authenticated as an administrator on the target website. By exploiting this vulnerability, web criminals can send several requests to the websites database, and compromise personal information (customer names, emails, addresses, etc…). It is also possible for end customers to buy goods and change the status of transaction to “Accepted Payment” without actually making the payment. If you are using a vulnerable version of this plugin (version 3.8.14.3 or lower) Sucuri Experts strongly recommend to upgrade the current version of the plugin.
Technical Description
This vulnerability is quite similar to Mailpoet which was disclosed a few weeks ago.
The plugin developers were under impression that WordPress’s admin_init hook was only called when the administrator user was logged in and visited a page inside/wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) can also execute admin_init hook without requiring the user to be authenticated.
Additionally, Sucuri’s security experts want to allow enough time to users to patch their websites before they disclose severity of this vulnerability.
