A serious vulnerability has been discovered in the popular e-commerce plugin for WordPress called WP e-Commerce.
If left unpatched, a WordPress installation utilizing version 126.96.36.199 of WP e-Commerce or earlier could allow an attacker to gain access to all user names, addresses, and other information of any customer who ever made a purchase from the affected site.
Additionally, an attacker could also perform administrative tasks on an affected site or modify orders placed by customers without actually authenticating as an administrator because, according to Sucuri, the discoverer of the flaw: “The plugin developers assumed that the WordPress’s admin_init hook was only called when the administrator was logged in and visited a page inside /wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) also executes this hook without requiring the user to be authenticated.”
Any site utilizing WP e-Commerce should update to the patched version of the plugin immediately.
The current version of WP e-Commerce is 188.8.131.52 and can be downloaded from WordPress.org.
For more details on the vulnerability, please visit Sucuri’s Blog:
Advisory for: WordPress WP e-Commerce Plugin
NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.