WP e-Commerce Guest Downloads Exploit

This morning I became aware of a critical exploit affecting WP e-Commerce stores selling electronic Products.

The vulnerability allows a guest user using a specially crafted URL to download electronic Products from WP e-Commerce stores without logging in or purchasing Products.

The Instinct team will make a patch available shortly but I want to give store owners the heads up so that they can address this issue immediately. Below are the required changes required to close this vulnerability.

  1. Open user-downloads.php within /wp-content/plugins/wp-e-commerce/…
  2. On line #3 replace the existing line starting with “$purchases = “, with the following: $purchases= $wpdb->get_col("SELECT 'id' FROM '".WPSC_TABLE_PURCHASE_LOGS."' WHERE user_ID = '".(int)$user_ID."' AND user_ID != 0") ;
  3. On line #11 replace the existing line starting with “$sql = “, with the following:$sql = "SELECT * FROM '".WPSC_TABLE_DOWNLOAD_STATUS."' WHERE 'purchid' IN ".$perchidstr." AND 'active' IN ('1') ORDER BY 'datetime' DESC";
  4. Save changes to user-downloads.php

That’s it, access the My Downloads page as a guest (e.g. http://www.visser.com.au/account/downloads=true) to confirm this patch worked. All the best!