High-Tech Bridge has identified multiple vulnerabilities – local PHP file inclusion, cross-site scripting (XSS), and improper access control – in TheCartPress eCommerce shopping cart plugin for WordPress websites.
The vulnerabilities – which the security firm consider to be high risk – can be exploited in variety of ways, including to execute arbitrary PHP code and to disclose sensitive data, according to a Wednesday post.
In a Wednesday email correspondence, Ilia Kolochenko, CEO of High-Tech Bridge, told SCMagazine.com that some of the exploits require a WordPress website administrator to click a malicious link. He indicated that this can be done through social engineering, and that free tools and frameworks simplify the process.
“The attacker can compromise WordPress administrator account (in case of XSS exploitation) and potentially get full control over the [WordPress] installation, including all passwords (hashed) and other sensitive user-data,” Kolochenko said.
Kolochenko added, “In case of local PHP [file inclusion] vulnerability exploitation, the attacker can execute arbitrary PHP code and potentially compromise not only the entire web application, but the web server on which it is hosted.”
The improper access control vulnerability does not require any actions from the administrator, and enables remote attackers to view the orders of other customers, Kolochenko said.
High-Tech Bridge identified the vulnerabilities in TheCartPress version 1.3.9, but indicated that prior versions are likely also vulnerable. The security team notified the vendor multiple times beginning on April 8, but the issues have not been addressed. According to TheCartPress website, support for the plugin ends on June 1.
“For the moment we didn't see this vulnerability being exploited in the wild,” Kolochenko said. “However, as the vendor didn't provide any solution, we shall expect attacks targeting this plugin. We strongly recommend disabling it as soon as possible.”