CVE-2015-3302

HIGH

TheCartPress <1.3.9.3 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-3302. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in TheCartPress WordPress plugin, including local file inclusion, stored XSS, and improper access control. It provides proof-of-concept code for exploiting these vulnerabilities, such as directory traversal via 'tcp_box_path' and XSS via unsanitized input fields.

Description

The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to obtain sensitive order detail information by leveraging a "broken authentication mechanism."

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/36860

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in TheCartPress WordPress plugin, including local file inclusion, stored XSS, and improper access control. It provides proof-of-concept code for exploiting these vulnerabilities, such as directory traversal via 'tcp_box_path' and XSS via unsanitized input fields.

Classification

Working Poc 100%

Attack Type

Xss | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TheCartPress WordPress plugin 1.3.9 and prior

No auth needed

Prerequisites: Access to a vulnerable WordPress installation with TheCartPress plugin · For some exploits, administrator privileges or tricking an admin into visiting a crafted link

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →