TheCartPress eCommerce Shopping Cart – a popular WordPress e-commerce plugin that is actively used on over 5,000 websites – contains high-risk vulnerabilities that can be exploited to compromise customers’ data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users of WordPress installations, claim High-Tech Bridge researchers. Users are advised to disable or remove the plugin.
The bugs affect version 1.3.9 (the latest) and probably prior ones, the researchers say. A fix for these vulnerabilities is unlikely, as the developers noted before that support for TheCartPress plugin will end on June 1, 2015.
Update: an update to TheCartPress 188.8.131.52 is available and given the changelog, development of the plugin is picking up again.
You can read High-Tech Bridge’s Multiple Vulnerabilities in TheCartPress WordPress plugin advisory.
If you want to step in to help me cover the costs for running this website, that would be awesome. Just use this link to donate a cup of coffee ($5 USD for example). And please share the love and help others make use of this website. Thank you very much!
My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.
Clear PHP opcode caches before WordPress Updates: ease the updating process
Tips to speed up WordPress, serve gzip compressed static HTML files
17 Valuable WordPress snippets you never knew you couldn’t live without
Optimize WordPress MySQL tables through Cron, behind the scenes
Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens
10% WordPress plugins in top ~1000 is vulnerable, a PHP static code analysis shows