CVE-2015-3986

Currently unrated

Key Information:

Vendor: Wordpress
Status: Thecartpress Ecommerce Shopping Cart
Vendor: CVE Published:; 14 May 2015

Summary

Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators for requests that conduct directory traversal attacks via the tcp_box_path parameter in the checkout_editor_settings page to wp-admin/admin.php.

References

https://www.htbridge.com/advisory/HTB23254

x_refsource_MISC

https://wordpress.org/plugins/thecartpress/changelog/

x_refsource_CONFIRM

http://packetstormsecurity.com/files/131673/WordPress-The...

x_refsource_MISC

Timeline

Vulnerability published
May 14, 2015
Vulnerability Reserved
May 14, 2015