Vulnerability in e-Commerce Wordpress Plugin: Buy Anything Without Paying

Vulnerability in e-Commerce Wordpress Plugin: Buy Anything Without Paying

Alongside Drupal, one of the most popular CMS Wordpress seems also to be vulnerable to serious flaws. Researchers at Sucuri have found an information leak and access control bypass vulnerability in popular WP eCommerce Plugin.

WP eCommerce Plugin is mainly used for selling products, downloads as well as memberships online. The number of downloads of this plugin clearly says how much popular it is- 2.9 Million.

According to the researchers, the vulnerability can be exploited by a remote attacker by gaining access to names, email addresses, billing addresses and other information belonging to the users who made purchases through the Plugin.Sucuri also said that those data can be manipulated easily by the attacker.

 

Sucuri Researcher Mickael Nadeau said

An attacker could perform administrative-related tasks without actually being authenticated as an administrator on the targeted website. Using this vulnerability, one could send few requests to websites database, dumping all client personal information.It is also possible for someone to buy products and change the status of their transactions to Accepted Payment without actually making the payment.   

 The flaw came to Sucuri's vision during their routine audit of Windows Firewall. After founding the vulnerability, WP eCommerce Plugin Developer Team was immediately contacted and they patched the flaw by launching 3.8.14.4

 

What is the Flaw?

Sucuri posted in their blog

The plugin developers assumed that the WordPress’s admin_init hook was only called when the administrator was logged in and visited a page inside /wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) also executes this hook without requiring the user to be authenticated.

Sucuri did not disclose enough technical details about the Vulnerability as they want to give the webmasters time to fix the flaw. They also said that this flaw looks similar to the vulnerability they found in MailPoet Newsletter Plugin some weeks ago.