CVE-2015-3300
Summary
| CVE | CVE-2015-3300 |
|---|---|
| State | PUBLISHED |
| Assigner | mitre |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2015-05-14 14:59:08 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via the (1) billing_firstname, (2) billing_lastname, (3) billing_company, (4) billing_tax_id_number, (5) billing_city, (6) billing_street, (7) billing_street_2, (8) billing_postcode, (9) billing_telephone_1, (10) billing_telephone_2, (11) billing_fax, (12) shipping_firstname, (13) shipping_lastname, (14) shipping_company, (15) shipping_tax_id_number, (16) shipping_city, (17) shipping_street, (18) shipping_street_2, (19) shipping_postcode, (20) shipping_telephone_1, (21) shipping_telephone_2, or (22) shipping_fax parameter to shopping-cart/checkout/; the (23) search_by parameter in the admin/AddressesList.php page to wp-admin/admin.php; the (24) address_id, (25) address_name, (26) firstname, (27) lastname, (28) street, (29) city, (30) postcode, or (31) email parameter in the admin/AddressEdit.php page to wp-admin/admin.php; the (32) post_id or (33) rel_type parameter in the admin/AssignedCategoriesList.php page to wp-admin/admin.php; or the (34) post_type parameter in the admin/CustomFieldsList.php page to wp-admin/admin.php. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
MediumAuthentication
NoneConfidentiality
NoneIntegrity
PartialAvailability
NoneAV:N/AC:M/Au:N/C:N/I:P/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Thecartpress | Thecartpress Ecommerce Shopping Cart | All | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WordPress TheCartPress 1.3.9 XSS / Local File Inclusion ≈ Packet Storm | af854a3a-2127-422b-91ae-364da2661108 | packetstormsecurity.com | Exploit |
| osvdb.org/show/osvdb/121472 | af854a3a-2127-422b-91ae-364da2661108 | osvdb.org | |
| WordPress › TheCartPress eCommerce Shopping Cart « WordPress Plugins | af854a3a-2127-422b-91ae-364da2661108 | wordpress.org | Patch |
| osvdb.org/show/osvdb/121471 | af854a3a-2127-422b-91ae-364da2661108 | osvdb.org | |
| osvdb.org/show/osvdb/121438 | af854a3a-2127-422b-91ae-364da2661108 | osvdb.org | |
| osvdb.org/show/osvdb/121469 | af854a3a-2127-422b-91ae-364da2661108 | osvdb.org | |
| File Not Found | af854a3a-2127-422b-91ae-364da2661108 | www.htbridge.com | Exploit |
| WordPress Plugin TheCartPress 1.3.9 - Multiple Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.exploit-db.com | Exploit |
| osvdb.org/show/osvdb/121470 | af854a3a-2127-422b-91ae-364da2661108 | osvdb.org | |
| WordPress TheCartPress Plugin Multiple Security Vulnerabilities | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| SecurityFocus | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.