Description
WordPress Plugin WP eCommerce is prone to multiple cross-site scripting and SQL injection vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, to compromise the application, access or modify data or to exploit vulnerabilities in the underlying database. WordPress Plugin WP eCommerce version 3.8.9 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 3.8.9.1 or latest
References
Related Vulnerabilities
FluxBB Use of Password Hash With Insufficient Computational Effort Vulnerability (CVE-2020-28873)
WordPress Plugin Contact Form 7 Multi-Step Forms Security Bypass (3.0.8)
Joomla! Core 3.x.x Cross-Site Scripting (3.1.2 - 3.8.7)
Joomla! Core 2.5.x Clickjacking Vulnerability (2.5.0 - 2.5.7)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-0211)