Home » Email Campaigns » WP e-Commerce security release

WP e-Commerce security release

Update: This release introduces a bug in Customer Account page. If you have not upgraded, please wait until is released shortly. We’re terribly sorry for this and we promise it won’t happen again.

Hi everyone,

Thanks to the work done by Chris Cross, Jon Cave and Alain Schneider, we are pleased to release WP e-Commerce with hardened security. This is a mandatory security release, so no additional bug fixes or features are  included.

As always, before upgrading, make sure you have a backup of your files and database.

» Click here to download the latest WP e-Commerce update!

14 Responses to WP e-Commerce security release

  1. davidW December 7, 2011 at 7:48 pm

    Thanks for this. What’s the chance of getting more information about what went into the hardening?

    • Dan Milward December 7, 2011 at 9:51 pm

      Good point David. Justin fixed them earlier today, perhaps he can link to the corresponding issues in Google Code. Would that suffice?

    • Gary Cao December 7, 2011 at 11:29 pm

      Actually we would not prefer to publicly disclose the vulnerabilities as that could affect users who haven’t got a chance to upgrade their shops in time (although this is open source software and theoretically anyone can work out what we just fixed by looking at the source code if they’re technical enough).

      This release does not contain any new features or new bug fixes compared to, so if you’re upgrading from, you don’t have to worry.

  2. davidW December 8, 2011 at 7:27 am

    Thanks Dan. I went over there and did the homework.

    Gary, I hear you and that’s a valid concern. The issue I see is that you have a lot of unsophisticated users of WPEC, which is a good thing, but not releasing a few details, at least general ones, leaves a lot of people in the dark. For example, do people who are using versions 3.7.x need to be concerned?

    When the Chrono Pay security leak was discovered it could have been addressed simply by removing or adding that one file, instead we were getting calls from folks who had unwittingly upgraded for the first time from 3.7 (which broke their sties) to secure their sites when all they needed to do (as was pointed out by later by Lee) was delete or upgrade that one file.

    I don’t think you need to release a line by line description of where the fixes / hardening took place, but I do think you should give some general details.

    One last thing, if this is truly a major and mandatory security upgrade you may want to consider whether or not the blog is the best form of communication. I realize people are notified in their plugins areas as well, but that doesn’t tell them it’s a major security upgrade, just that lots of things have changed. I would hate to see WP E-commerce needing to offer an apology like the one Woo was forced to on Sept 8th, because they had failed to communicate well.

    Thanks for the security fixes and keep up the good work.

    • Ejub December 8, 2011 at 10:52 am

      I agree with you, great thoughts!

      The blog is not the best way to communicate with wpec users. And there is no reason for us not to know what changes has been done. Even if we don’t need all the details.

      I really like Wp E-commerce, and its really a fantastic plugin. Tough I have to say that the communication with users are very poor. I can not understand how it’s possible that a worldwide known tool doesn’t have a roadmap published. Look at the Ecwid.com and their absolutely magnificent way to create a dialog with their users through the ideas forum.

      Still I stay with you guys. Because Wp E-commerce is good, but could be even more great!

      So, to finish off, I love the new documentation! Now, let’s move forward! And get that roadmap published, or remove the page.

      Take care! /Ejub

      • Van March 7, 2012 at 1:38 am

        Uushiemo have indeed caetred a superb site, once I have my head around markup, I hope to improve my little offering.Although, after only two evenings work I’m quite pleased with the result.My previous site ( simondavey.co.uk), which is quite pretty was built entirely with Freeway pro, but of course, I can’t publish and update galleries directly from Lightroom.Well done Timothy, well worth the a330.Things that would be nice .A little more page control in non-gallery pages (widths and text placings etc).Also, a slideshow from a contact sheet style gallery would be awesome.Please don’t let my suggestions above detract from excellence of the ImpactWSPP plugin though, many, many thanks, a true labour saving plugin.Simon

        • aneuk July 5, 2012 at 5:23 pm

          Yes, you’ll need to enter special pages, and they need to be dsaegnetid as WordPress templates. You can see examples of this inside the example_pages folder when you download the plugin. There are also detailed instructions in the plugin’s readme.txt file.Finally, this plugin only searches jobs on CareerBuilder. It does not allow for searching resumes or candidates.Thanks!

    • Gary Cao December 8, 2011 at 1:59 pm

      Hi davidW,

      Thanks for sharing your thoughts. You’re definitely right in saying that blog is not the best way to communicate releases. We’ll make sure to send this information to our newsletter list as well in later releases. If you want to join the newsletter list, there’s a form at the bottom of this page where you can do it.

      I should have made it clear that this security fix is mandatory, but currently it’s only available for 3.8 branch only. The update package for 3.7.8 will follow shortly.

      However we still recommend current 3.7.x stores to upgrade to 3.8, although it requires some extra work. Active development for bug fixing / new features on 3.7.x branch has been stopped.

      • Gary Cao December 8, 2011 at 2:41 pm

        This is embarrassing, but I think the newsletter sign up form below stopped working. I’ll fix it asap!

  3. Kerry December 8, 2011 at 10:44 am

    After the update, when I try to view “View Details” from account page, I get the error “It would appear either you are trying to hack into this account, or your session has expired. Hoping for the latter.” Any insight? I’m in development accessing multiple browsers, by fire ftp and dreamweaver – would this be the reason?

    • Justin Sainton December 8, 2011 at 1:38 pm

      Speaking of apologies…this is actually a totally legitimate bug, introduced by an attempted security fix. It got past all of us lead devs, but the code was mine, so I’ll own it.

      I’ve already deployed a fix to trunk and the 3.8 branch, Gary will be moving it over to the 3.8.7.x branch and tagging a new release shortly.

      If you need it fixed in the meantime, go to /wpsc-theme/functions/wpsc-user_log_functions.php. Around Line 37, the wp_verify_nonce check needs to be inside the $_POST check – instead of outside.

      To see a diff, check this link out – http://code.google.com/p/wp-e-commerce/source/diff?spec=svn1429&r=1429&format=side&path=/trunk/wpsc-theme/functions/wpsc-user_log_functions.php

      Again, my apologies – no excuses, we’ll be releasing a version with a fix shortly. Thanks for your patience!

      • Raman March 7, 2012 at 6:59 am

        My husband and i got inibedcrly joyful that Emmanuel could finish up his studies from the ideas he had through your blog. It truly is now and once more perplexing to simply choose to be giving out tips and hints which often other men and women may possibly have been selling. And we all figure out we require the writer to be grateful to for this. The most important illustrations you produced, the easy weblog menu, the relationships you assist to instill it’s everything amazing, and it’s making our son in addition to our family think that the idea is satisfying, and that is actually pressing. Thank you for the whole thing!

        • Lala July 4, 2012 at 7:26 am

          It is still not working, but I think I am gneittg closer. I downloaded another plugin that allows you to insert php code in to posts or pages. However, I am still not able to get results to show. Something is working as the page title shows in the tab now all I have to do is get the content to show up. Any other suggestions? If you want to take a look-see send me an email and I will create a temporary user name and password. It’s pretty funky though, and I would appreciate any help you can provide.

  4. Kim March 6, 2012 at 8:35 pm

    I heard from more than one developer that Thesis is nedsleesly complicated. Regardless though, I doubt that WLM doesn\’t support Thesis properly because both Thesis and WLM are popular among internet marketers. I think the problem lies in your particular setup. Try contacting WishList or Thesis creators.Unfortunately, there is no way for me to test a membership plugin against all the possible themes out there. If contacting the creators is not an option for you, try membership plugins that offer a refund policy. If the plugin works for you, keep it, otherwise, refund it until you find one that works.