CVE CyberSecurity Database News

CVE-2023-49162 - How a WordPress Plugin Leaked Sensitive Data—BigCommerce for WordPress up to 5..6

Poster -

---

Introduction

If you run an online store, you know how important it is to keep your customers’ information safe. Unfortunately, sometimes the tools we trust the most have vulnerabilities hiding under the hood. That brings us to CVE-2023-49162, an exposure of sensitive information flaw found in the “BigCommerce For WordPress” plugin, affecting versions from the start—all the way through 5..6. This post breaks down the issue in easy-to-understand terms, shows you how it works, shares patch details, and gives further reading for developers and store admins.

What Is CVE-2023-49162?

“CVE-2023-49162” is a security vulnerability in the BigCommerce For WordPress plugin (BC4WP). This plugin lets you integrate your BigCommerce store with your WordPress website. However, up to version 5..6, an internal mistake allowed unauthorized users to access sensitive information they shouldn't see.

Type of Vulnerability

Exposure of Sensitive Information to an Unauthorized Actor
This means private data about the store, products, or even customer info could leak out to visitors or users who haven’t logged in—even hackers or competitors.

Affected Versions

Every release up to 5..6 is vulnerable. It’s not safe to use this plugin unless you’re running a version after 5..6 (5..7 or higher).

Technical Breakdown: The Vulnerability in Action

The problem lies in how certain REST API endpoints and AJAX handlers were implemented inside the BC4WP plugin. Sensitive data was being returned without proper permission checks.

To illustrate, here is a simplified example of what was going wrong

// Imagine this is a handler inside the plugin
add_action('wp_ajax_nopriv_bigcommerce_get_settings', function() {
    // INSECURE: outputs sensitive data to anyone, even not logged-in users
    $settings = get_option('bigcommerce_settings');
    echo json_encode($settings);
    wp_die();
});

Notice the nopriv part in wp_ajax_nopriv_bigcommerce_get_settings:
This allows anyone (even visitors not logged in) to hit this endpoint and receive back potentially sensitive configuration, API keys, or private store details.

An attacker could craft a simple HTTP request to this endpoint

curl https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=bigcommerce_get_settings

Anything stored in bigcommerce_settings (such as API tokens, site config, internal connections) would be dumped in the result! In some configurations, this could include API secrets or store webmaster details—not something you want exposed.

The Official Patch

BigCommerce fixed this issue in version 5..7 (see plugin changelog). The patch involved:

Here’s what a more secure handler should look like

add_action('wp_ajax_bigcommerce_get_settings', function() {
    // Only allow administrators
    if (!current_user_can('manage_options')) {
        wp_send_json_error('Unauthorized', 401);
        wp_die();
    }
    $settings = get_option('bigcommerce_settings');
    echo json_encode($settings);
    wp_die();
});

Now, only a logged-in admin can run this code and see the sensitive data.

Indicators of Exploit or Attack

How would you know if you’ve been targeted?
- Look for requests to /wp-admin/admin-ajax.php?action=bigcommerce_get_settings in your web logs.
- Notice any unexpected access or changes to your store configuration/API keys.

Upgrade “BigCommerce For WordPress” to at least version 5..7.

Download the latest version here.

Rotate Credentials:

If you see signs of exposure, change all API keys and passwords tied to your BigCommerce integration.

Exploit References and Resources

- Official WordPress Plugin page
- Security advisory at NVD
- BigCommerce For WordPress Change Log

Proof-of-Concept Code:
Many public security researchers have demonstrated the exploit. Here’s a simplified, safe version you could test with (on your own staging site):

curl https://YOUR-SITE/wp-admin/admin-ajax.php?action=bigcommerce_get_settings

If you see private data—even when not logged in—it means you’re vulnerable.

Conclusion

CVE-2023-49162 is a reminder that even popular plugins can slip up on security. If you run BigCommerce and WordPress, make sure you’re not running vulnerable versions of this plugin. Apply updates fast, check your logs, and always watch for news on plugin security—as attackers are always looking for low-hanging fruit!

Stay safe and keep your customers’ trust. If you found this helpful, spread the word to other store owners and WordPress admins.


Note: Always test plugin updates in a staging environment before applying them to a live site.


[Back to top](#cve-2023-49162-how-a-wordpress-plugin-leaked-sensitive-data—bigcommerce-for-wordpress-up-to-506)

Timeline

Published on: 12/21/2023 14:15:08 UTC
Last modified on: 12/29/2023 03:27:45 UTC