WordPress e-commerce plug-in puts over 5,000 websites at risk
TheCartPress, an e-commerce plug-in used on thousands of WordPress-based websites, has several high-risk vulnerabilities.
There are currently no fixes available for the flaws and, according to its developer, support for the plug-in will be discontinued on June 1st.
The vulnerabilities could allow attackers to “execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting [XSS] attacks against users of WordPress installations with the vulnerable plug-in,” researchers from security firm High-Tech Bridge said in an advisory Wednesday.
There are factors that limit the exploitation of some of the flaws, but they still pose a significant risk.