Another week, another security hole. This time I have found several holes in ajax-and-init.php from WP-eCommerce v3.7.4 aka WP Shopping Cart. It is the latest stable version. Let’s go.
The first issue is an unrestricted file deletion security breach. Remote attackers can trick a logged in WP user to click prepared links that can make the above mentioned script to delete files in webserver context. WP users must be logged in, a simple subscriber account would be sufficient.
The second issue is a SQL injection security breach. It is possible for remote attackers to trick a logged in WP user to click prepared links and have “Products List” items deleted and table “Products Files” truncated. As above, WP users must be logged in, a simple subscriber account would be sufficient.
There is at least another hole that enables remote attackers to change the plugin’s configuration under similar conditions.
What to do
Upgrade immediately to version 3.7.5 RC1.
Conclusion
The author of the plugin has been notified. I wonder though why these security leaks have not been mentioned in the 3.7.5 RC1 announcement… Judge for yourself.
UPDATE Oct 19, 2009: Leaks are still unfixed in the current stable version.
Leave a Reply
You must be logged in to post a comment.