WordPress E-commerce Plug-in Vulnerabilities Puts 5,000+ Websites At Risk
E-commerce plug-in CartPress, which is used in many WordPress based websites, is reported to have several high risk vulnerabilities. Currently, there are no solutions available for the flaws and its developers say that the support for the plug-in will be terminated on June1. The popular WordPress e-commerce plug-in is used in over 5,000 websites, according to reports.
Attackers could use these vulnerabilities to "execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting [XSS] attacks against users of WordPress installations with the vulnerable plug-in," a Computerworld report quoted researchers from security firm High-Tech Bridge, as saying.
According to the researchers at High Tech Bridge, the bugs affect version 1.3.9, which is the latest version, reports Help Net Security.
Researchers at High Tech Bridge had reported CartPress vulnerabilities on April 8, 17 and 27 and as per the timeline published in the High Tech Bridge advisory, no confirmation from CartPress was received, reports Threat Post.
“Currently, we are not aware of any official solution for this vulnerability,” the Threat Post quoted the advisory, as saying. As a workaround, the advisory recommends the removal of the vulnerable plugin, Threat Post reports.
The same report points out that the first vulnerability is a PHP file inclusion that needs WordPress admin rights to exploit and the script is also susceptible to cross site request forgeryt. The attacker could utilize this vulnerability to access local files through directory traversal. Researchers say, a store cross site scripting bug was also discovered. According to the advisory, user supplied HTTP parameters in the Shipping and Billing address sections are not sanitized before it is stored in the local database. In such a situation, attackers could introduce malicious JavaScript and HTML code.
Besides that, the other vulnerability in the plugin is ‘improper access controls’ because of which non-authenticated users can gain access to orders of other customers. Attackers can also activate the vulnerability by accessing a URL that consists of an Order ID number that is predictable from orders placed before.
The final concern pertains to multiple cross site scripting vulnerabilities for which the input has not been sanitized properly before returning it to the user. The report also explains that remote attackers can make a link to execute code in the browser.
(For feedback/comments, mail the writer at pragyan.ibtimes@gmail.com)