15 Nov

WP eCommerce Claims to Have Fixed Vulnerability in One Day Despite Fixing It Seven Months After Being Notified

The developers of the eCommerce plugin WP eCommerce released a new version, 3.11.4, to fix a possible SQL injection vulnerability in the plugin on Saturday. As we noted when we looked into this in April it doesn’t look like it could have been exploited:

The good news is that the vulnerability does not look like something that someone using the plugin would need to worry about being exploited at this time for two reasons. First, the code is part of 2.0 theme engine, which is scheduled to be the default one in version 4.0, but at this point you have to manually enable it. We had a hard time finding out how to do that, so it doesn’t seem likely that it would be widely used at this point. Second, the code only is run if someone is using Payment Express as their payment processor.

The disclosure that lead to that post occurred in a thread on wordpress.org Support Forum in March and the developers of the plugin were aware of it as they responded within several hours. Strangely when WP eCommerce finally fixed it they made this claim:

We were notified of a security vulnerability – a SQL injection vulnerability. It was responsibly disclosed by the plugins team at WordPress.org – we’re grateful for their disclosure and discretion.  We were notified yesterday, patched on GitHub within an hour of being notified, and pushed a release to WordPress.org this morning.

The best case here is that the plugin’s developers are not all on the same page and at least one of them doesn’t really care about security, otherwise this could have easily been fixed back in March.

Leave a Reply

Your email address will not be published. Required fields are marked *