Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

WordPress Security: Vulnerability in WP eCommerce Plugin

This entry was posted in WordPress Security on October 31, 2014 by Mark Maunder   5 Replies

A serious vulnerability was announced within the last 24 hours in the WP eCommerce Plugin. The authors have released a fix and you are encouraged to update immediately. The fixed version is

The vulnerability allows an attacker to export user names, addresses, and other private information. It also allows an attacker to modify orders.

We are receiving reports as of 11am Pacific Time that hosting companies (Bluehost specifically) are automatically updating this plugin to the newest version if they detect that you have it installed, but please don’t rely on this. Take action now to protect your site.

This is an extremely popular plugin with approximately 3 million downloads, so please spread the word about this vulnerability now and help keep the community safe.

Did you enjoy this post? Share it!

5 Comments on "WordPress Security: Vulnerability in WP eCommerce Plugin"

Dave Austin October 31, 2014 at 5:22 pm

Again thanks for the heads up looks like I have work to do on a clients site tomorrow!

mark October 31, 2014 at 5:24 pm

Hi Dave, you're welcome. Sorry to hear you're working on the weekend. Looks like we are too: Check out the brute force attack underway right now on our home page: http://www.wordfence.com/

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates