CVE-2015-3986

Name of the Vulnerable Software and Affected Versions TheCartPress eCommerce Shopping Cart plugin for WordPress versions prior to 1.3.9.3

Description A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that conduct directory traversal attacks. This is achieved via the tcp box path parameter in the "checkout editor settings" page to "wp-admin/admin.php".

Recommendations For versions prior to 1.3.9.3, update to version 1.3.9.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the checkout editor settings page in wp-admin/admin.php to minimize the risk of exploitation. Avoid using the tcp box path parameter in the affected page until the issue is resolved.