Daniel Compton of BSI Cybersecurity and Information Resilience (formerly Info-Assure Ltd) discovered a high risk security vulnerability within the X-Cart 5.x shopping cart for WordPress. This is a significant security vulnerability which could allow a customer to sign up to the online store and take control of the backed administrator panel, gaining access to customer data and also would give control of the website to the attacker.
X-Cart is an ecommerce shopping platform that is used in over 33,000 online stores in 111 countries around the world and is responsible for transactions totalling over 2 billion dollars.
We urge all users to upgrade to X-Cart version 5.1.11 ASAP.
As part of our responsible disclosure program, we will not release any information until the vendor has patched the vulnerability. Once the vulnerability has been patched we will not disclose the exact details or exploitation methods for the vulnerability for 3 months. This gives all users of the product sufficient time to ensure they have updated their products and are protected against the issue.
Vulnerability type: Stored cross-site scripting
Vendor: X-Cart
Vulnerable product version: X-Cart 5.10 and below.
Fixed product version: X-Cart 5.1.11
Vendor patch release: http://kb.x-cart.com/display/XDD/5.1.11+-+24+Feb+2015
Discovered: 28/01/2015
Reported: 29/01/2015
Vendor fixed: 24/02/2015
Partial disclosure: 27/02/2015
Full disclosure: tba.
