Information leak and access control bypass in WordPress WP eCommerce Plugin

Exploitation of this vulnerability allows criminals to export all the user names, addresses and other confidential information of clients.

Experts of the company Sucuri found dangerous vulnerability in the plugin “WP eCommerce”, which allows attackers to easily access and edit personal information of users.

Exploitation of the vulnerability allows criminals to export all the user names, addresses and other confidential information of clients that ever made a purchase through the plugin. Also, attackers can change the status of the order (from non-paid to paid and vice versa). At the moment, the plugin developer has released a patched version of WP eCommerce 3.8.14.4.

All web-sites based on WordPress, using the version of WP eCommerce 3.8.14.3 or later are at risk. This gap allows criminals to use the administrator rights to bypass authentication and by sending multiple queries to the database of web-sites, to compromise personal information of the client (including names, physical addresses, email addresses, and etc.). Also, third-party entities may make a purchase of goods by changing transaction status to “accepted payment” without making the actual payment.

Sucuri Experts strongly recommend all users to upgrade the current version of the plugin.

Vulnerability: Security Bypass in WordPress WP eCommerce Plugin

Danger level: Medium Severity

Availability of fixes: Yes

Number of vulnerabilities: 1

CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 7.5 / Temporal: 5.5

CVE ID: No Information

Vector of operation: Remote

Impact: Disclosure of sensitive data, Security Bypass

Affected products: WordPress WP eCommerce Plugin 3.x

Affected versions: WordPress WP eCommerce versions before 3.8.14.4

Description:

This vulnerability is similar to Mailpoet, disclosed a few weeks ago and allows a remote user to bypass security restrictions and gain access to important data.

The vulnerability is due to an error in the authentication mechanism in the processing of requests to the script “/wp-admin/admin-post.php”. The remote user may bypass authentication mechanism and gain access to confidential data.

Solution: Install the latest version 3.8.14.4 from the manufacturer.

References:

https://github.com/wp-e-commerce/WP-e-Commerce/commit/390c2ecc68027fbf21fb5d99a556d88c7bd8c05b

Manufacturer URL:

https://wordpress.org/plugins/wp-e-commerce/