CVE-2015-3986

TheCartPress eCommerce Shopping Cart < 1.3.9 - Cross-Site Request Forgery via tcp_box_path Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-3986. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates multiple vulnerabilities in TheCartPress WordPress plugin, including local file inclusion, stored XSS, and improper access control. It provides proof-of-concept code for exploiting these vulnerabilities, such as directory traversal via 'tcp_box_path' and XSS via unsanitized input fields.

Description

Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators for requests that conduct directory traversal attacks via the tcp_box_path parameter in the checkout_editor_settings page to wp-admin/admin.php.

Exploits (1)

exploitdb WORKING POC

by High-Tech Bridge SA · textwebappsphp

https://www.exploit-db.com/exploits/36860

View Code ZIP pw:eip

The exploit demonstrates multiple vulnerabilities in TheCartPress WordPress plugin, including local file inclusion, stored XSS, and improper access control. It provides proof-of-concept code for exploiting these vulnerabilities, such as directory traversal via 'tcp_box_path' and XSS via unsanitized input fields.

Classification

Working Poc 100%

Attack Type

Xss | Info Leak | Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: TheCartPress WordPress plugin 1.3.9 and prior

No auth needed

Prerequisites: Access to a vulnerable WordPress installation with TheCartPress plugin · For some exploits, administrator privileges or tricking an admin into visiting a crafted link

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →