TheCartPress eCommerce Shopping Cart – a popular WordPress e-commerce plugin that is actively used on over 5,000 websites – contains high-risk vulnerabilities that can be exploited to compromise customers’ data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users of WordPress installations, claim High-Tech Bridge researchers. Users are advised to disable or remove the plugin.
The bugs affect version 1.3.9 (the latest) and probably prior ones, the researchers say. A fix for these vulnerabilities is unlikely, as the developers noted before that support for TheCartPress plugin will end on June 1, 2015.
Update: an update to TheCartPress 188.8.131.52 is available and given the changelog, development of the plugin is picking up again.
You can read High-Tech Bridge’s Multiple Vulnerabilities in TheCartPress WordPress plugin advisory.
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, WordPress, websites & optimization. Want to support me and donate? Use this link: https://paypal.me/jreilink.