High-risk vulnerabilities in TheCartPress leaves WordPress sites at risk

TheCartPress eCommerce Shopping Cart – a popular WordPress e-commerce plugin that is actively used on over 5,000 websites – contains high-risk vulnerabilities that can be exploited to compromise customers’ data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users of WordPress installations, claim High-Tech Bridge researchers. Users are advised to disable or remove the plugin.

The bugs affect version 1.3.9 (the latest) and probably prior ones, the researchers say. A fix for these vulnerabilities is unlikely, as the developers noted before that support for TheCartPress plugin will end on June 1, 2015.

Update: an update to TheCartPress 1.3.9.3 is available and given the changelog, development of the plugin is picking up again.

TheCartPress WordPress plugin security advisory

You can read High-Tech Bridge’s Multiple Vulnerabilities in TheCartPress WordPress plugin advisory.

Posted by Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. Want to support me and donate? Use this link: https://paypal.me/jreilink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.