WP e-Commerce Guest Downloads Exploit

This morning I became aware of a critical exploit affecting WP e-Commerce stores selling electronic Products.

The vulnerability allows a guest user using a specially crafted URL to download electronic Products from WP e-Commerce stores without logging in or purchasing Products.

The Instinct team will make a patch available shortly but I want to give store owners the heads up so that they can address this issue immediately. Below are the required changes required to close this vulnerability.

  1. Open user-downloads.php within /wp-content/plugins/wp-e-commerce/…
  2. On line #3 replace the existing line starting with “$purchases = “, with the following: $purchases= $wpdb->get_col("SELECT 'id' FROM '".WPSC_TABLE_PURCHASE_LOGS."' WHERE user_ID = '".(int)$user_ID."' AND user_ID != 0") ;
  3. On line #11 replace the existing line starting with “$sql = “, with the following:$sql = "SELECT * FROM '".WPSC_TABLE_DOWNLOAD_STATUS."' WHERE 'purchid' IN ".$perchidstr." AND 'active' IN ('1') ORDER BY 'datetime' DESC";
  4. Save changes to user-downloads.php

That’s it, access the My Downloads page as a guest (e.g. http://www.visser.com.au/account/downloads=true) to confirm this patch worked. All the best!

Leave a Comment

Before you comment - Do you have a support request? If so, this is not the right place to post it. Please submit support requests for Premium Plugins on the Support page and in the community Support Forums for free Plugins.

Your email address will not be published.