Vulnerability of A WordPress Ecommerce Plugin Disclosed

7 May 2015

Birmingham: We all know that WordPress is the most popular content management system being used to create powerful websites and blogs. It’s not just a blogging platform; WordPress has several plugins through which you can do a lot of things. You can transform your site into a full-fledged digital shop with the assistance of several ecommerce plugins available.

There are several ecommerce plugins in WordPress which are ideal for online merchants, developers, theme constructors. They can be used as catalogues, shopping carts or frameworks. They just extend the functionality of the website by adding some extra features to it. But sometimes, there are some chances of vulnerabilities being attached with the plugin.

Vulnerability of CatPress disclosed:

Very recently the researchers of a well-known company reported about the vulnerabilities of a WordPress ecommerce plugin called CartPress. The company just disclosed it by publishing it on the timeline saying that currently they don’t have any official solution for this vulnerability and it also recommends disabling or removing the plugin as a workaround. It is also being said that the plugin will no longer be supported as of June 1st.

Impacts of the vulnerability:

  • According to the reports published, the vulnerabilities can be exploited to disclose the data, run the code or to carry out cross-site scripting attacks against sites. The first bug is of the PHP file inclusion issue; it requires the privileges of an admin to exploit its features. A hacker can make use of this bug to access local files via directory traversal.
       
  • One more bug discovered was the one which was patched recently; the advisory says that the HTTP parameters supplied by the users in shipping and billing address are not sanitized before they are stored in the local database, so the attacker can easily inject some malicious HTML or JavaScript code.
     
  • Another critical vulnerability is the improper access controls; if an attacker exploits this vulnerability, he can browse the orders of other customers as well. They can trigger the vulnerability by just visiting certain URLs having order IDs through which they can predict previous orders. It lets unauthenticated to steal the existing orders.
     
  • One final issue is the multiple cross-site scripting vulnerability; exploiting this bug, the attackers can craft a link to execute a code in the browser.

Are you planning to outsource WordPress development in Birmingham? Just take a sigh; you are in the right place. Fortune Innovations is the best web development company in Birmingham you can rely upon. You can also hire web designers and developers who are highly knowledgeable and focused. We are very much concerned about clients’ satisfaction as we believe that it is the main reason for our success.

Why Fortune Innovations?

  • Cost effective, save up to 40%
  • Birmingham based account management
  • Expert team of programmers with Web 2.0 expertise
  • More than 50 members offshore development team based in Bangalore, India
  • We uphold detailed time sheets and daily reports
  • Virtual web developers and web designers working remotely
  • Quality driven delivery model
  • WordPress Development in Birmingham
  • Drupal Development in Birmingham
  • Joomla Development in Birmingham
  • eCommerce Magento Birmingham
  • Web Development Birmingham
  • Web Design Birmingham
  • jQuery development Birmingham
  • Zend framework development Birmingham
  • Airline IBE GDS Integration Navitaire Birmingham
  • Airline IBE GDS Integration Aamadeus Birmingham