Directory Traversal Vulnerability in TheCartPress Plugin for WordPress
CVE-2015-3301

Currently unrated

Key Information:

Vendor: Wordpress
Status: Thecartpress Ecommerce Shopping Cart
Vendor: CVE Published:; 14 May 2015

Summary

A directory traversal vulnerability exists in TheCartPress eCommerce Shopping Cart plugin for WordPress prior to version 1.3.9.3. This flaw allows remote administrators to exploit the tcp_box_path parameter on the checkout_editor_settings page, leading to unauthorized access to arbitrary files on the server by leveraging the .. (dot dot) path traversal technique. This can potentially expose sensitive information stored on the server, thereby increasing the risk of further attacks.

References

https://www.htbridge.com/advisory/HTB23254

x_refsource_MISC

https://wordpress.org/plugins/thecartpress/changelog/

x_refsource_CONFIRM

http://packetstormsecurity.com/files/131673/WordPress-The...

x_refsource_MISC

EPSS Score

17% chance of being exploited in the next 30 days.

Timeline

Vulnerability published
May 14, 2015
Vulnerability Reserved
Apr 13, 2015