Yesterday Sucuri reported a new vulnerability in WP eCommerce - a popular WordPress plugin for online stores. The vulnerability allows attackers to obtain private information from websites. All versions of the WP eCommerce extension before 220.127.116.11 are vulnerable and attackers may export all user accounts, addresses and other information related to people, who used your site and the plugin to purchase any products from your site.
We immediately wrote our own WAF security rules to block malicious requests that try to take advantage of this vulnerability. We performed extensive tests to make sure that regular requests will not be blocked. However, in some cases malicious requests cannot be differentiated from regular authorized requests and some users may be blocked by our WAF even if they are the administrators of the site. We advise all site owners that use the WP eCommerce extension to upgrade it to the latest stable version 18.104.22.168. If you’re using the WP eCommerce extension and you see an error that your request is blocked by our WAF please post a support ticket via our HelpDesk and we will resolve the case for you.