Critical severity vulnerability in the WordPress WooCommerce plugin
Are You At Risk?
The vulnerability is only present when WooCommerce’s “PayPal Identity Token” option is set. If it is, your site is vulnerable to an Object Injection type of vulnerability, which essentially means that depending on the context the site is running in, it may be used to do a variety of things. We managed to use a combination of WordPress and WooCommerce components with a known PHP bug (CVE-2013-1643) to download critical files, files like wp-config.php; for those unfamiliar, this file contains the database credentials and WordPress secret keys. As seen in the past, giving an attacker access to these files usually results in full site compromise.
Meer informatie: http://bit.ly/1MJgzav