Lucene search

[email protected]CVE-2015-3986

HistoryMay 14, 2015 - 2:59 p.m.

CVE-2015-3986

2015-05-1414:59:13

CWE-352

[email protected]

web.nvd.nist.gov

cve-2015-3986

cross-site request forgery

csrf vulnerability

thecartpress ecommerce shopping cart

wordpress plugin

directory traversal

authentication hijacking

nvd

7.5 High

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

77.5%

JSON

Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators for requests that conduct directory traversal attacks via the tcp_box_path parameter in the checkout_editor_settings page to wp-admin/admin.php.

Affected configurations

NVD

Node

thecartpressthecartpress_ecommerce_shopping_cartRange≤1.3.9wordpress

CPENameOperatorVersion
thecartpress:thecartpress_ecommerce_shopping_cartthecartpress thecartpress ecommerce shopping cartle1.3.9

CPE	Name	Operator	Version
thecartpress:thecartpress_ecommerce_shopping_cart	thecartpress thecartpress ecommerce shopping cart	le	1.3.9

References

packetstormsecurity.com/files/131673/WordPress-TheCartPress-1.3.9-XSS-Local-File-Inclusion.html

www.securityfocus.com/archive/1/535396/100/0/threaded

www.securityfocus.com/bid/74395

wordpress.org/plugins/thecartpress/changelog/

www.exploit-db.com/exploits/36860/

www.htbridge.com/advisory/HTB23254

7.5 High

AI Score

Confidence

Low

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.005 Low

EPSS

Percentile

77.5%

JSON

Related for CVE-2015-3986

cvelist1 prion1 nvd1 wpvulndb1