Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaws in WordPress eCommerce Plugin Expose Over 5,000 Websites

Researchers at High-Tech Bridge have identified several vulnerabilities in TheCartPress, an eCommerce plugin installed on more than 5,000 WordPress websites.

According to experts, the plugin is plagued by security holes that can be exploited for cross-site scripting (XSS) attacks, arbitrary PHP code execution, and sensitive data disclosure.

Researchers at High-Tech Bridge have identified several vulnerabilities in TheCartPress, an eCommerce plugin installed on more than 5,000 WordPress websites.

According to experts, the plugin is plagued by security holes that can be exploited for cross-site scripting (XSS) attacks, arbitrary PHP code execution, and sensitive data disclosure.

Researchers uncovered several XSS vulnerabilities (CVE-2015-3300). One of them, a stored XSS, affects the checkout process and is caused by the lack of user input sanitization in some fields of the “Shipping address” and “Billing address” sections.

An unauthenticated attacker can exploit the vulnerability to inject malicious HTML or JavaScript code into vulnerable websites in an effort to target users and administrators, High-Tech Bridge said in its advisory.

Four other XSS flaws discovered by experts can be exploited by an attacker to get website administrators to execute arbitrary code by tricking them into clicking on a specially crafted link.

Researchers have also identified a local PHP file inclusion vulnerability (CVE-2015-3301) that can be leveraged to include arbitrary local files via directory traversal sequences. The vulnerability can be exploited by an attacker that has administrative privileges or via a cross-site request forgery (CSRF) exploit.

Finally, High-Tech Bridge reported uncovering an improper access control bug (CVE-2015-3302). An unauthenticated attacker can exploit a broken authentication mechanism to gain access to the orders placed by users on online stores running vulnerable versions of TheCartPress.

Advertisement. Scroll to continue reading.

According to High-Tech Bridge, the vulnerabilities affect TheCartPress 1.3.9 and probably earlier versions. The security firm has attempted to report the flaws to the developer on several occasions this month, but without success.

A notice posted on thecartpress.com informs users that support for the plugin ends on June 1, 2015, so it’s possible that the vulnerabilities will never get fixed. TheCartPress developers have not responded to SecurityWeek’s request for comment by the time of publication.

Since a patch is not available, High-Tech Bridge advises users to disable or remove TheCartPress plugin from their WordPress websites.

High-Tech Bridge published on Wednesday an advisory to inform users of the existence of a medium severity XSS vulnerability in WP Photo Album Plus, a plugin designed to allow administrators to easily manage and display their photos, albums, slideshows and videos on WordPress websites. The plugin is currently installed on more than 50,000 websites.

The details of the vulnerability will only be disclosed on May 20, but a fix has already been made available with the release of version 6.1.3.

UPDATE: TheCartPress developers told SecurityWeek on Sunday, May 3, that they have released a new version of the plugin to address the security bugs.

Related: Magento Flaw Exploited in the Wild Within 24 Hours After Disclosure

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.