Description
WordPress Plugin WP eCommerce is prone to multiple cross-site scripting and SQL injection vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, to compromise the application, access or modify data or to exploit vulnerabilities in the underlying database. WordPress Plugin WP eCommerce version 3.8.9 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 3.8.9.1 or latest
References
Related Vulnerabilities
WordPress 2.6.1 Lost Password SQL Column Truncation Unauthorized Access Vulnerability (0.71 - 2.6.1)
Oracle Database Server CVE-2014-2408 Vulnerability (CVE-2014-2408)
Apache HTTP Server Improper Input Validation Vulnerability (CVE-2014-0117)
Roundcube Resource Management Errors Vulnerability (CVE-2008-5620)