With the help of Miroslav Stampar, the GetShopped team was able to discover a security hole in the 3.8.x and 3.7.x versions of their WP e-Commerce plugin. While the exploit is isolated to the Chronopay payment gateway, they’re releasing a mandatory update for all WP e-Commerce 3.8.x and 3.7.x users whether they have Chronopay enabled or not.
If you don’t want to redo the changes you’ve made to your plugin’s core code and don’t use Chronopay, you can remove the
wpsc-merchants/chronopay.php file. This will also fix the security hole.