Description
WordPress Plugin WP Online Store is prone to a local file include and multiple file disclosure vulnerabilities because it fails to properly sanitize user-supplied input. An attacker can exploit these issues to execute arbitrary local files within the context of the web server process or to obtain potentially sensitive information from local files which may aid in launching further attacks. WordPress Plugin WP Online Store version 1.3.1 downloaded before 2013.01.17 is vulnerable; prior versions may also be affected.
Remediation
Update to plugin version 1.3.2 or latest
References
http://ceriksen.com/2013/02/18/wordpress-online-store-local-file-inclusion-vulnerability/
http://ceriksen.com/2013/02/18/wordpress-online-store-arbitrary-file-disclosure/
Related Vulnerabilities
WordPress Plugin Anti-Splog Cross-Site Scripting (2.1.7)
Joomla! Core 3.x.x Security Bypass (3.0.0 - 3.4.4)
WordPress Plugin Woo Import Export Arbitrary File Deletion (1.0)
WordPress Plugin Zingiri Web Shop 'abspath' Parameter Remote File Include (2.4.6)
WordPress Plugin Live Chat-Live support Cross-Site Request Forgery (3.1.0)