We’ve just released WP eCommerce 3.11.4. This is a highly recommended update.
We were notified of a security vulnerability – a SQL injection vulnerability. It was responsibly disclosed by the plugins team at WordPress.org – we’re grateful for their disclosure and discretion. We were notified yesterday, patched on GitHub within an hour of being notified, and pushed a release to WordPress.org this morning.
This vulnerability only affects users who use eWay as their payment gateway, have Gold Cart activated, and are using the as-of-yet-unreleased Theme Engine 2.0. We believe the number of users affected is likely close to zero, due to these conditions – but still, we highly recommend updating.
Thanks again to our wonderful user community, our developer team, and the great folks at WordPress.org (thanks Mika!)