CSRF Vulnerability in TheCartPress eCommerce Shopping Cart Plugin for WordPress
CVE-2015-3986

Currently unrated

Key Information:

Vendor: Wordpress
Status: Thecartpress Ecommerce Shopping Cart
Vendor: CVE Published:; 14 May 2015

Summary

A cross-site request forgery vulnerability exists in TheCartPress eCommerce Shopping Cart plugin for WordPress prior to version 1.3.9.3. This vulnerability allows remote attackers to exploit the tcp_box_path parameter via the checkout_editor_settings page in wp-admin/admin.php, potentially hijacking the credentials of administrators and performing unauthorized actions within the application. Due to the flaws in request validation, attackers can leverage this vulnerability to execute directory traversal attacks, leading to further exploitation.

References

https://www.htbridge.com/advisory/HTB23254

x_refsource_MISC

https://wordpress.org/plugins/thecartpress/changelog/

x_refsource_CONFIRM

http://packetstormsecurity.com/files/131673/WordPress-The...

x_refsource_MISC

Timeline

Vulnerability published
May 14, 2015
Vulnerability Reserved
May 14, 2015