Please note that if you run your own WordPress installation or are a WordPress developer and think you have found a security vulnerability in CoCart, here is how to report an issue.
Although we strive to create the most secure products possible, we are not perfect. If you happen to find a security vulnerability in one of our products, we would appreciate letting us know and allowing us to respond before disclosing the issue publicly.
Reporting Security Vulnerabilities
While we try to be proactive in preventing security problems, we do not assume theyโll never come up.
It is standard practice to responsibly and privately disclose to us, a security problem before publicizing, so a fix can be prepared, and damage from the vulnerability minimized.
What is a โsecurityโ issue?
A security issue is a type of bug that can affect the security of WordPress installations.
Specifically, it is a report of a bug that you have found in the CoCart code, and that you have determined can be used to gain some level of access to a site running CoCart that you should not have.
Your site being โhackedโ is not a security issue. The security issue will involve knowing how the attacker got in and hacked the site.
You forgetting your password or losing access to your site is not a security issue. If you lost access through a bug in the CoCart code, then that might be a security issue.
Generally, security issues are complex problems. If you want to report a security issue, then thatโs great! Youโre in the right place. However, be sure that what youโre reporting is actually a security issue. The experts that you are reporting it to are very busy, and donโt usually respond to non-security issues.
The security reporting system is NOT for support. Donโt send general problems there.
Where do I report security issues?
For security issues with CoCart plugins, please submit a report at [email protected]. Include as much detail as you can.
In all cases, you should not share the details with anyone else until after the fix for the bug has been officially released to the public.
Why are there path disclosures when directly loading certain files?
This is a server configuration problem. Never enable display_errors on a production site.