WordPress CartPress Plugin Zero Day Disclosure
by Michael Mimoso, Threatpost
April 29, 2015

Another round of WordPress vulnerability disclosures has taken place with details made public on a handful of unpatched bugs in the CartPress ecommerce plugin.

These disclosures come on the heels of a separate disclosure of a zero-day in the WordPress core engine. Those vulnerabilities have since been patched.

The CartPress vulnerabilities were reported on three separate occasions by researchers at High Tech Bridge on April 8, 17 and 27. From a timeline published in the High Tech Bridge advisory, no acknowledgement from CartPress was received.

“Currently, we are not aware of any official solution for this vulnerability,” the advisory says. CartPress will no longer be supported as of June 1. “We recommend disabling or removing the vulnerable plugin as a workaround.”

According to High-Tech Bridge, the vulnerabilities can be exploited to run code, disclose data or carry out cross-site scripting attacks against sites running the plugin.
[B]Read more...[/B