Private info on WordPress sites can be accessed and modified

Nov 1, 2014 18:55 GMT  ·  By

A vulnerability in the popular shopping cart plug-in WP eCommerce for WordPress website publishing platform permits unauthorized modification of orders, making non-paid ones appear as paid as well as extraction of confidential customer information.

The glitch consists in the fact that the “admin_init” hook can be called without authentication; this is similar to the vulnerability in MailPoet plugin that was disclosed responsibly by Sucuri at the beginning of July and which was the cause of thousands of websites getting hacked by the end of the month.

Mickael Nadeau of Sucuri says that if the issue is exploited, an attacker would be given the possibility of executing administrative-level tasks, such as exporting user names, addresses and sensitive data without needing to be authenticated.

Additionally, the risk of fraud exists, because an attacker could change the transaction status for a product they purchased to “Accepted Payment,” without any money being transferred.

The flaw has been fixed in the latest version of the plug-in (3.8.14.4) and it is highly recommended that all users make the jump to this release.

WP eCommerce has been available since 2006 and it is listed with over 2.9 million downloads on the official page. According to statistics from BuiltWith, during the month of October, the plug-in was present in more than 62,000 WordPress installations.