The developers of the eCommerce plugin WP eCommerce released a new version, 3.11.4, to fix a possible SQL injection vulnerability in the plugin on Saturday. As we noted when we looked into this in April it doesn’t look like it could have been exploited:

The good news is that the vulnerability does not look like something that someone using the plugin would need to worry about being exploited at this time for two reasons. First, the code is part of 2.0 theme engine, which is scheduled to be the default one in version 4.0, but at this point you have to manually enable it. We had a hard time finding out how to do that, so it doesn’t seem likely that it would be widely used at this point. Second, the code only is run if someone is using Payment Express as their payment processor. [Read more]

When it comes to problems we see with the handling of security in WordPress Plugins by the people behind WordPress, one the overarching issues is their overemphasis in keeping quiet about vulnerabilities. While there certainly can be additional security risks due to the information being more widely available, there can be upsides as well. For example, we frequently find that supposedly fixed vulnerabilities have not actually been fixed. Without the disclosure of those vulnerabilities we wouldn’t be able to check to see if they haven’t been fixed and make sure they actually get fixed. Another thing they can do is to show when developers of plugins are not taking security seriously as something we spotted last week shows.

A week ago a report of a potential SQL injection vulnerability in the WP eCommerce plugin was posted on the support forum. Shortly afterwards one of the plugin’s authors marked the thread as being resolved and wrote: [Read more]