WordPress Security: Vulnerability in WP eCommerce Plugin

A serious vulnerability was announced within the last 24 hours in the WP eCommerce Plugin. The authors have released a fix and you are encouraged to update immediately. The fixed version is

The vulnerability allows an attacker to export user names, addresses, and other private information. It also allows an attacker to modify orders.

We are receiving reports as of 11am Pacific Time that hosting companies (Bluehost specifically) are automatically updating this plugin to the newest version if they detect that you have it installed, but please don’t rely on this. Take action now to protect your site.

This is an extremely popular plugin with approximately 3 million downloads, so please spread the word about this vulnerability now and help keep the community safe.

Did you enjoy this post? Share it!


  • Again thanks for the heads up looks like I have work to do on a clients site tomorrow!

    • Hi Dave, you're welcome. Sorry to hear you're working on the weekend. Looks like we are too: Check out the brute force attack underway right now on our home page: http://www.wordfence.com/