This morning I became aware of a critical exploit affecting WP e-Commerce stores selling electronic Products.
The vulnerability allows a guest user using a specially crafted URL to download electronic Products from WP e-Commerce stores without logging in or purchasing Products.
The Instinct team will make a patch available shortly but I want to give store owners the heads up so that they can address this issue immediately. Below are the required changes required to close this vulnerability.
- Open user-downloads.php within /wp-content/plugins/wp-e-commerce/…
- On line #3 replace the existing line starting with “
$purchases =“, with the following:
$purchases= $wpdb->get_col("SELECT 'id' FROM '".WPSC_TABLE_PURCHASE_LOGS."' WHERE user_ID = '".(int)$user_ID."' AND user_ID != 0") ;
- On line #11 replace the existing line starting with “
$sql =“, with the following:
$sql = "SELECT * FROM '".WPSC_TABLE_DOWNLOAD_STATUS."' WHERE 'purchid' IN ".$perchidstr." AND 'active' IN ('1') ORDER BY 'datetime' DESC";
- Save changes to user-downloads.php
That’s it, access the My Downloads page as a guest (e.g. http://www.visser.com.au/account/downloads=true) to confirm this patch worked. All the best!