Security Risk: Medium
Exploitation Level: Easy/Remote
DREAD Score: 6/10
Vulnerability: Information leak and access control bypass.
Patched Version: 3.8.14.4
If you’re using the popular WP eCommerce WordPress plugin (2,900,000 downloads), you should update it right away. During a routine audit for our Website Firewall (WAF), we found a dangerous vulnerability that could be used by a malicious user to easily get access and modify private information in the site.
The vulnerability allows an attacker to export all user names, addresses and other confidential information of any one that ever made a purchase through the plugin. It also allows an attacker to modify someone’s orders (e.g., non-paid to paid and vice versa). It was discovered and disclosed this week, the development team immediately patched by the WP eCommerce team. They also released the update 3.8.14.4 to fix this issue.
What are the risks?
Any WordPress based website running the WP eCommerce version 3.8.14.3 (or lower) are at risk. An attacker could perform administrative-related tasks without actually being authenticated as an administrator on the target website. Using this vulnerability, one could send a few requests to the websites database, dumping all client personal information (including names, emails, addresses, etc…). It is also possible for someone to buy products and change the status of their transaction to Accepted Payment without actually making the payment.
If you use an affected version of this plugin, please update it as soon as possible! Note that sites using our Website Firewall product are already protected against this threat via the default virtual hardening rules.
Technical Details
This vulnerability is similar to Mailpoet, disclosed a few weeks ago. The plugin developers assumed that the WordPress’s admin_init hook was only called when the administrator was logged in and visited a page inside /wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) also executes this hook without requiring the user to be authenticated.
We will not disclose more details until we give time for people to patch their sites.