• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Security Advisory – Medium Severity – WP eCommerce WordPress Plugin

October 30, 2014Mickael Nadeau

Security Risk: Medium

Exploitation Level: Easy/Remote

DREAD Score: 6/10

Vulnerability: Information leak and access control bypass.

Patched Version: 3.8.14.4

FacebookTwitterSubscribe

If you’re using the popular WP eCommerce WordPress plugin (2,900,000 downloads), you should update it right away. During a routine audit for our Website Firewall (WAF), we found a dangerous vulnerability that could be used by a malicious user to easily get access and modify private information in the site.

The vulnerability allows an attacker to export all user names, addresses and other confidential information of any one that ever made a purchase through the plugin. It also allows an attacker to modify someone’s orders (e.g., non-paid to paid and vice versa). It was discovered and disclosed this week, the development team immediately patched by the WP eCommerce team. They also released the update 3.8.14.4 to fix this issue.

What are the risks?

Any WordPress based website running the WP eCommerce version 3.8.14.3 (or lower) are at risk. An attacker could perform administrative-related tasks without actually being authenticated as an administrator on the target website. Using this vulnerability, one could send a few requests to the websites database, dumping all client personal information (including names, emails, addresses, etc…). It is also possible for someone to buy products and change the status of their transaction to Accepted Payment without actually making the payment.

If you use an affected version of this plugin, please update it as soon as possible! Note that sites using our Website Firewall product are already protected against this threat via the default virtual hardening rules.

Technical Details

This vulnerability is similar to Mailpoet, disclosed a few weeks ago. The plugin developers assumed that the WordPress’s admin_init hook was only called when the administrator was logged in and visited a page inside /wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) also executes this hook without requiring the user to be authenticated.

We will not disclose more details until we give time for people to patch their sites.

FacebookTwitterSubscribe

Categories: Ecommerce Security, Security Advisory, Vulnerability Disclosure, Website SecurityTags: WordPress Plugins and Themes

About Mickael Nadeau

Mickael a Vulnerability Researcher here at Sucuri. He loves vegetables, a healthy lifestyle and is a big fan of harp melodies and classical music. During his free time, you’ll never find him on his computer – more like a yoga mat. Joking aside. You can find him on Twitter at @Mick4Secure.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.