This morning I became aware of a critical exploit affecting WP e-Commerce stores selling electronic Products.
The vulnerability allows a guest user using a specially crafted URL to download electronic Products from WP e-Commerce stores without logging in or purchasing Products.
The Instinct team will make a patch available shortly but I want to give store owners the heads up so that they can address this issue immediately. Below are the required changes required to close this vulnerability.
Open user-downloads.php within /wp-content/plugins/wp-e-commerce/…
On line #3 replace the existing line starting with “$purchases = “, with the following: $purchases= $wpdb->get_col("SELECT 'id' FROM '".WPSC_TABLE_PURCHASE_LOGS."' WHERE user_ID = '".(int)$user_ID."' AND user_ID != 0") ;
On line #11 replace the existing line starting with “$sql = “, with the following:$sql = "SELECT * FROM '".WPSC_TABLE_DOWNLOAD_STATUS."' WHERE 'purchid' IN ".$perchidstr." AND 'active' IN ('1') ORDER BY 'datetime' DESC";
Save changes to user-downloads.php
That’s it, access the My Downloads page as a guest (e.g. http://www.visser.com.au/account/downloads=true) to confirm this patch worked. All the best!
WordPress users will notice a new automatic update available for 2.9.2, this security update fixes a vulnerability affecting all WordPress installations since the recent introduction of the Trash feature in the 2.9.* series.
Every logged in user, even those with the subscriber role, can access all deleted articles and posts that have been moved to the trash. This might not affect the majority of blogs as there need to be at least two registered users and at least one user that is not trusted by the administrator of the site.
I’ve updated the documentation and included the missing SQL file to create the wp_wpsc_favourites table that stores the individual wishlist items that powers Add to Wishlist.
Please re-download Add to Wishlist from the original purchase e-mail that was sent to you. Shortly I’ll be making member facilities to allow customers to log in, manage their downloads/purchases and get priority support within the WP e-Commerce forum for Visser Labs addons.
WP E-Commerce 126.96.36.199 Beta 1 throws a fatal error with activation of Gold Cart when opening the Settings tab of Store, the error is:
Fatal error: Call to undefined function nzshpcrt_listdir() in /home/public_html/wp-content/uploads/wpsc/upgrades/gold_cart_files/gold_shopping_cart.php on line 746
Good news is Jeff the ninja coder from Instinct has already released a quick patch resolving this issue which is included below:
Change the function call (around line 745) in `upgrades/gold_cart_files` from: $gold_nzshpcrt_merchant_list = nzshpcrt_listdir($gold_gateway_directory);
to: $gold_nzshpcrt_merchant_list = wpsc_list_dir($gold_gateway_directory);
There is a plugin compatibility issue for WordPress sites running cForms (v 10.6) and WP E-commerce (v 3.7) plugin affecting the rich-text editor tinyMCE frequently used within the WordPress Admministration.
I noticed the tinyMCE editor used for maintaining product descriptions and rich-text fields had stuffed up on a client site, white text on white background = stuffed up! After some poking and prodding there is an checkbox in cForms > Global Settings > WP Editor Button support, labeled “Select in case you experience a TinyMCE editor error caused by other plugins”. Check it, save changes and tinyMCE works again with WP E-commerce!
I’ve been religiously using the recently introduced Plugin Update within WordPress to keep all my installed WordPress plugins up to date, a recent change in my server environment broke this and every time I attempted to update a plugin a stream of PHP would come up!