Description
Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators for requests that conduct directory traversal attacks via the tcp_box_path parameter in the checkout_editor_settings page to wp-admin/admin.php.
Exploits (1)
exploitdb
WORKING POC
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/36860
References (6)
Core 6
Core References
Exploit x_refsource_misc
https://www.htbridge.com/advisory/HTB23254
Product x_refsource_confirm
https://wordpress.org/plugins/thecartpress/changelog/
Exploit x_refsource_misc
http://packetstormsecurity.com/files/131673/WordPress-TheCartPress-1.3.9-XSS-Local-File-Inclusion.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/74395
Exploit exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/36860/
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/535396/100/0/threaded
Scores
EPSS
0.0162
EPSS Percentile
81.9%
Details
CWE
CWE-352
Status
published
Products (1)
thecartpress/thecartpress_ecommerce_shopping_cart
< 1.3.9
Published
May 14, 2015
Tracked Since
Feb 18, 2026