WP eCommerce <= 3.11.3 - SQL Injection in sessionid

Sign up to our free email alerts service for instant vulnerability notifications!

Description
From vendor: "This vulnerability only affects users who use eWay as their payment gateway, have Gold Cart activated, and are using the as-of-yet-unreleased Theme Engine 2.0.  We believe the number of users affected is likely close to zero, due to these conditions – but still, we highly recommend updating."

Affects

Plugin wp-e-commerce
fixed in version 3.11.4

References

URL https://wptavern.com/wp-ecommerce-3-11-4-patches-sql-injection-vulnerability
URL https://wpecommerce.org/news/wp-ecommerce-3-11-4-security-update/
URL https://github.com/wp-e-commerce/WP-e-Commerce/commit/1ea8329a5617c8181490c3fad102cc81d75eb0d4

Classification

Type SQLI
OWASP Top 10 A1: Injection
CWE CWE-89

Miscellaneous

Submitter ethicalhack3r
Submitter Website https://dewhurstsecurity.com/
Submitter Twitter ethicalhack3r
Views 139
Verified No
WPVDB ID 8660

Timeline

Publicly Published 2016-11-12 (27 days ago)
Added 2016-11-15 (24 days ago)
Last Updated 2016-11-15 (24 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.