WP e-Commerce 3.8.6.1 and 3.7.8.1: Mandatory Security Update
Hi everyone,
Our friend Miroslav Stampar helped us discover a serious security issue with WP e-Commerce 3.8.6 or older. We rolled out a critical update for 3.8.x and 3.7.x as fast as we could. Although the exploit is inside chronopay payment gateway, this affects all WP e-Commerce 3.8.x and 3.7.x sites no matter whether you have Chronopay enabled or not.
As a result, this is a MANDATORY security update for all WP e-Commerce 3.8 and 3.7 users. Please upgrade your plugin as soon as possible. Below are the links.
If you’re using 3.8.x, use WordPress automatic upgrade, or download 3.8.6.1 by clicking here.
If you’re using 3.7.x, download 3.7.8.1 by clicking here.
Update: Lee Willis pointed out that removing the wpsc-merchants/chronopay.php file will work as well. This can be a good solution for sites that don’t want to overwrite changes they made to the core code of WP e-Commerce plugin.
Does this update include all the fixes with the latest beta release???
Hi TR,
No, this does not include the fixes in beta release.
Should do! Just in case I have re-uploaded themes with ltesat versions, all of which support sidebar wudgets. Let me know if you are still having trouble and which theme you are trying.
Nice work Gary!!!
Presumably if we’re not using Chronopay we can just remove chronopay.php ?
Yes, that would be a good work-around too, especially when the wp-e-commerce core code is modified and you don’t want to overwrite your changes with the update.
I installed the update, but now the plugin is broken. I can’t see it in my plugins list.
By “broken” do you mean the store is not working any more, or does it just disappear from your plugins list?
Perhaps the automatic upgrade by WordPress has failed somehow. Please try re-installing 3.8.6.1. All your data is still safe, so no worries.
Installed it but now when i click clear cart, it adds index.php on my single product page. Any ideas why is it so? The products display all gone after clear cart.
Hi Eric,
Which upgrade did you use? 3.8.6.1 or 3.7.8.1?
These security releases only modify the compromised chronopay code, so it should not affect any other aspects of your store.
Do you have screenshots? Please send those to gary@instinct.co.nz
Thanks!
Gary you need a Gravatar bro – you’re so much more colorful then default
I thought I had one. Will update soon
SOrry for late reply. Just sent you the image.
Should I have to replace those files I moved to my theme’s directory as well?
And also, where can I suggest an inprovement of the code?
Hey Valerio. My thoughts would be the dev mailing list.
http://groups.google.com/group/wordpress-e-commerce-plugin
Hi Valerio,
No you don’t need to modify any files in your theme, just upgrade the core WP e-Commerce plugin and you’re good to go.
Gary.
I up graded and now have no working shop at all. At a loss to know what to do.
Hi Christine,
I need more details other than “not working”. Screenshots as well if possible. Please send those to gary@instinct.co.nz.
Also, from which version are you updating, and to which?
Thanks.
Gary.
Pingback: Mandatory Security Update for WP-e-Commerce! | Storefront Themes - Premium WordPress Themes For the WP E-Commerce Plugin
Hey – I ran a search in the forums section but most answers are about a year old if not more…
Is the plugin PCI compliant?
Just installed/updated to wp ecpmmerce 3.8.6.1 and it’s thrown my site totally out; it’s just not functioning right. This has happened with updates previously and I’ve simply re-added/returned to 3.7.8. However, this time when I try to add/return to 3.7.8 the install is failing with an error message stating that the file already exists.
Due to this I currently have no site and no business and so any help would be appreciated….PLEASE..
What file needs to change, I have many customizations in my WP E-commerce installation which I do not want to overwrite?
Pingback: WP e-Commerce rolls out a mandatory security update | WPCandy
Pingback: A Free wordpress newsletter » WP e-Commerce rolls out a mandatory security update
I started the update on 2 of my sites. Script still running 15 minutes later and sites both down. Looks like maybe this thing is not really working well! Any suggestions?
Oh good, it “failed to complete” on one site and the site is now back up. I will hope the other does the same and then check back with you after this thing is working better.
I am a newbie at wrsopreds, setting up wp websites for friends and family. Inasmuch as most of the sites I set up are on a budget, we use free wp themes on all of them. I was utterly aghast at your findings, and to think that I just click on those top serp sites and download the free themes assuming that their makers are cool honest guys. Now, I have some tools to use to check these themes. The TAC tool however seems to have been un-updated since 2009.