A popular WordPress plug-in that provides eCommerce capabilities for thousands of websites has several high-risk vulnerabilities — and they’re not expected to be fixed, the IDG News Service reported on Thursday (April 30).
TheCartPress, an open-source plug-in that is currently used in more than 5,000 WordPress eCommerce installations, suffers from a whole slew of security problems that could let attackers “execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plug-in,” according to researchers at Swiss security company High-Tech Bridge in an advisory issued on Wednesday (April 29).
No patches for the vulnerabilities are currently available, and according to the developer’s website, “support for TheCartPress will end on June 1, 2015.” High-Tech Bridge said in its advisory that it hasn’t seen evidence of the security holes having been exploited, but it recommends disabling or removing the vulnerable plug-in.
While the vulnerability is real, there are factors that limit an attacker’s ability to exploit the flaws. In the case of the PHP vulnerability, for example, an attacker would need administrative privileges on the WordPress website. That would require either stealing an administrator’s login credentials or tricking an administrator into running the exploit by visiting a malicious Web page, the High-Tech Bridge researchers said.
Another vulnerability lets attackers see orders placed by customers of the eCommerce site being run using TheCartPress. Still other vulnerabilities include cross-site scripting issues, which could let attackers trick customers of the eCommerce store into running malware when they click on specifically crafted URLs.
TheCartPress developers didn’t respond to High-Tech Bridge messages throughout April, and it’s not clear how long the company has been planning to shut down support for the vulnerable plug-in. But the developers stopped responding to questions on WordPress’ support forum for TheCartPress in early April — roughly the same time that the security researchers first notified them of the problem.
Reviewers on the WordPress site also speculated that TheCartPress may have decided to close up shop in the face of competition from more widely used WordPress eCommerce plug-ins such as WooCommerce, which claims it runs more than 600,000 online stores.