Today, we released WP eCommerce 3.9.4. This is a security and maintenance release. As such, we highly recommend updating your sites. From our changelog, this release includes the following fixes:
- Security Fix: Harden several instances of $_POST input that were not sanitized properly. Specifically, PayPal settings and Quick Edit fields for products.
- Security Fix: Do not return visitor meta if WP eCommerce presumes a user to be a bot.
- Enhancement: Provide a notice for users to repair their WP eCommerce tables if visitor and visitor meta tables are in need of repair. See #1901.
- Fix: Notices on stats saving for products.
The primary fix here was due to a circumstance whereby user data could be exposed unintentionally. If your visitor tables somehow became corrupted, our visitor meta API would think that all users were bots. As such, it would save user meta from humans (which, by the way, are not bots) to the same ID. This would cause exposure of data from one human to another. This is less than ideal.
As part of this update, we’ve added a routine to check if the tables are corrupt and in need of repair. If so, you should see a notice in your admin dashboard. However, if that doesn’t show up for any reason, you can define the WP_ALLOW_REPAIR constant in your wp-config.php file – or add “add_filter( ‘wpsc_tables_need_repair’, ‘__return_true’ );” to your functions.php file in your theme.
Please update today 🙂