Another round of WordPress vulnerability disclosures has taken place with details made public on a handful of unpatched bugs in the CartPress ecommerce plugin.
These disclosures come on the heels of a separate disclosure of a zero-day in the WordPress core engine. Those vulnerabilities have since been patched.
The CartPress vulnerabilities were reported on three separate occasions by researchers at High Tech Bridge on April 8, 17 and 27. From a timeline published in the High Tech Bridge advisory, no acknowledgement from CartPress was received.
“Currently, we are not aware of any official solution for this vulnerability,” the advisory says. CartPress will no longer be supported as of June 1. “We recommend disabling or removing the vulnerable plugin as a workaround.”
According to High-Tech Bridge, the vulnerabilities can be exploited to run code, disclose data or carry out cross-site scripting attacks against sites running the plugin.
The first bug is a local PHP file inclusion issue (CVE-2015-3301), which requires WordPress admin privileges to exploit; the script, High-Tech Bridge said, is also vulnerable to cross site request forgery. An attacker could use this bug to access local files via directory traversal.
A stored cross-site scripting bug, similar to the one patched this week in the core engine, was also discovered. The advisory says that user-supplied HTTP parameters in the Shipping Address and Billing Address sections are not sanitized before being stored in the local database. An attacker could inject malicious HTML and JavaScript code.
Another vulnerability in the plugin has to do with improper access controls and could allow a non-authenticated user to browse orders of other customers. An attacker can trigger the vulnerability by visiting a certain URL that contains an Order ID number that is predictable from previous orders.
“This enables non-authenticated remote attackers to steal all currently existing orders,” the advisory said.
The final issue has to do with multiple cross-site scripting vulnerabilities, all of which have to do with improperly sanitized input before it’s returned to the user. Remote attackers can specially craft a link in order to execute code in the browser.