5,000+ e-commerce sites at risk due to buggy WordPress plugin
A popular WordPress e-commerce plugin that is actively used on over 5,000 websites contains high-risk vulnerabilities that can be exploited to compromise customers’ data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users of WordPress installations, claim High-Tech Bridge researchers.
The plugin in question is TheCartPress eCommerce Shopping Cart, and the bugs affect version 1.3.9 (the latest) and probably prior ones, the researchers say.
They discovered the flaws earlier this month, and notified the developers on April 8. After having received no answer from them after repeatedly trying to contact them via several different channels, they published technical details about them with the hope that the developers will be forced to react quickly and patch them.
I don’t know how likely that is, as the developers noted before that support for TheCartPress plugin will end on June 1, 2015.
Technical details about the vulnerabilities – a PHP file inclusion, an improper access control, and several XSS flaws – and PoC exploit code can be found in this security advisory.
Until a fix is provided, users are advised to disable or remove the plugin.