Security Advisory – Medium Severity – WP eCommerce WordPress Plugin

1 minute read

Advisory for: WordPress WP eCommerce Plugin
Security Risk: Medium (DREAD score : 6/10)
Exploitation level: Easy/Remote
Vulnerability: Information leak and access control bypass.
Patched Version: 3.8.14.4

If you’re using the popular WP eCommerce WordPress plugin (2,900,000 downloads), you should update it right away. During a routine audit for our Website Firewall (WAF), we found a dangerous vulnerability that could be used by a malicious user to easily get access and modify private information in the site.

The vulnerability allows an attacker to export all user names, addresses and other confidential information of any one that ever made a purchase through the plugin. It also allows an attacker to modify someone’s orders (e.g., non-paid to paid and vice versa). It was discovered and disclosed this week, the development team immediately patched by the WP eCommerce team. They also released the update 3.8.14.4 to fix this issue.

What are the risks?

Any WordPress based website running the WP eCommerce version 3.8.14.3 (or lower) are at risk. An attacker could perform administrative-related tasks without actually being authenticated as an administrator on the target website. Using this vulnerability, one could send a few requests to the websites database, dumping all client personal information (including names, emails, addresses, etc…). It is also possible for someone to buy products and change the status of their transaction to Accepted Payment without actually making the payment.

If you use an affected version of this plugin, please update it as soon as possible! Note that sites using our Website Firewall product are already protected against this threat via the default virtual hardening rules.

Technical Details

This vulnerability is similar to Mailpoet, disclosed a few weeks ago. The plugin developers assumed that the WordPress’s admin_init hook was only called when the administrator was logged in and visited a page inside /wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) also executes this hook without requiring the user to be authenticated.

We will not disclose more details until we give time for people to patch their sites.

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...