Softpedia >News >Security
Softpedia Homepage   

Over 5,000 Websites at Risk Due to Buggy TheCartPress eCommerce Plugin

Proof-of-concept code has been published by the researchers

Apr 30, 2015 08:15 GMT  ·  By
Admins should ponder switching to a different eCommerce solution
   Admins should ponder switching to a different eCommerce solution

Four vulnerabilities have been found in the TheCartPress eCommerce plugin for WordPress, which is currently installed on more than 5,000 websites, according to statistics from WordPress.

Successful exploitation of the flaws could allow an attacker to run arbitrary PHP code on the server, as well as reach sensitive information, researchers say.

A patch may not become available

Experts from High-Tech Bridge Security Research Lab discovered that the component suffers from two cross-site scripting (XSS) bugs, one PHP file inclusion and a weakness in the access control security process that handles usage of specific resources.

The vendor was alerted multiple times starting April 8 via email and support forums, but no reply was received. Administrators are recommended to remove the plugin since no patch is likely to emerge, as the developers announced that TheCartPress would no longer be supported starting June 1, 2015.

High-Tech Bridge says that for the PHP file inclusion problem, which allows adding arbitrary data via directory traversal sequences, an attacker requires administrator privileges; it appears that a CSRF (cross-site request forgery) vulnerability also exists and it can be used against an administrator account, potentially leading to compromise.

Due to insufficient code sanitization, WordPress websites with TheCartPress installed are vulnerable to a stored cross-site scripting (XSS) bug, which could be initiated by a threat actor via the “Shipping address” and “Billing address” sections via HTTP POST parameters.

Unauthenticated users can inject malicious HTML and JavaScript code this way, and store it in the application database in order to gain access to purchases made by other users, based on the identification number of their order (IDs can be predicted because they are sequential).

With technical details published, attacks are easier to carry out

The same can be achieved because the authentication mechanism is broken, and all the attacker has to do is launch the following URL:

code
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]
To view the full details of an order, they can just open this link:
code
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der
High-Tech Bridge researchers say that several XSS vulnerabilities are also available in TheCartPress 1.3.9, the latest version of the product. These could be exploited to trick authenticated administrators into accessing a malicious link that executes arbitrary code in the context of the website.

Since the vendor did not respond to the vulnerability disclosure of the researchers, the technical details, along with proof-of-concept code, are currently publicly available.