Flaws in WordPress eCommerce Plugin Expose Over 5,000 Websites

Researchers at High-Tech Bridge have identified several vulnerabilities in TheCartPress, an eCommerce plugin installed on more than 5,000 WordPress websites.

According to experts, the plugin is plagued by security holes that can be exploited for cross-site scripting (XSS) attacks, arbitrary PHP code execution, and sensitive data disclosure.

Researchers uncovered several XSS vulnerabilities (CVE-2015-3300). One of them, a stored XSS, affects the checkout process and is caused by the lack of user input sanitization in some fields of the “Shipping address” and “Billing address” sections.

An unauthenticated attacker can exploit the vulnerability to inject malicious HTML or JavaScript code into vulnerable websites in an effort to target users and administrators, High-Tech Bridge said in its advisory.

Four other XSS flaws discovered by experts can be exploited by an attacker to get website administrators to execute arbitrary code by tricking them into clicking on a specially crafted link.

Researchers have also identified a local PHP file inclusion vulnerability (CVE-2015-3301) that can be leveraged to include arbitrary local files via directory traversal sequences. The vulnerability can be exploited by an attacker that has administrative privileges or via a cross-site request forgery (CSRF) exploit.

Finally, High-Tech Bridge reported uncovering an improper access control bug (CVE-2015-3302). An unauthenticated attacker can exploit a broken authentication mechanism to gain access to the orders placed by users on online stores running vulnerable versions of TheCartPress.

According to High-Tech Bridge, the vulnerabilities affect TheCartPress 1.3.9 and probably earlier versions. The security firm has attempted to report the flaws to the developer on several occasions this month, but without success.

A notice posted on thecartpress.com informs users that support for the plugin ends on June 1, 2015, so it’s possible that the vulnerabilities will never get fixed. TheCartPress developers have not responded to SecurityWeek’s request for comment by the time of publication.

Since a patch is not available, High-Tech Bridge advises users to disable or remove TheCartPress plugin from their WordPress websites.

High-Tech Bridge published on Wednesday an advisory to inform users of the existence of a medium severity XSS vulnerability in WP Photo Album Plus, a plugin designed to allow administrators to easily manage and display their photos, albums, slideshows and videos on WordPress websites. The plugin is currently installed on more than 50,000 websites.

The details of the vulnerability will only be disclosed on May 20, but a fix has already been made available with the release of version 6.1.3.

UPDATE: TheCartPress developers told SecurityWeek on Sunday, May 3, that they have released a new version of the plugin to address the security bugs.

Related: Magento Flaw Exploited in the Wild Within 24 Hours After Disclosure