CVE-2015-3300
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via the (1) billing_firstname, (2) billing_lastname, (3) billing_company, (4) billing_tax_id_number, (5) billing_city, (6) billing_street, (7) billing_street_2, (8) billing_postcode, (9) billing_telephone_1, (10) billing_telephone_2, (11) billing_fax, (12) shipping_firstname, (13) shipping_lastname, (14) shipping_company, (15) shipping_tax_id_number, (16) shipping_city, (17) shipping_street, (18) shipping_street_2, (19) shipping_postcode, (20) shipping_telephone_1, (21) shipping_telephone_2, or (22) shipping_fax parameter to shopping-cart/checkout/; the (23) search_by parameter in the admin/AddressesList.php page to wp-admin/admin.php; the (24) address_id, (25) address_name, (26) firstname, (27) lastname, (28) street, (29) city, (30) postcode, or (31) email parameter in the admin/AddressEdit.php page to wp-admin/admin.php; the (32) post_id or (33) rel_type parameter in the admin/AssignedCategoriesList.php page to wp-admin/admin.php; or the (34) post_type parameter in the admin/CustomFieldsList.php page to wp-admin/admin.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple stored XSS vulnerabilities in TheCartPress eCommerce Shopping Cart plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via numerous checkout and admin parameters.
Vulnerability
TheCartPress eCommerce Shopping Cart plugin for WordPress (versions before 1.3.9.3) contains multiple stored cross-site scripting (XSS) vulnerabilities. The plugin fails to sanitize user-supplied input passed via numerous parameters in the checkout process and various admin pages. Specifically, the following parameters are affected: billing_firstname, billing_lastname, billing_company, billing_tax_id_number, billing_city, billing_street, billing_street_2, billing_postcode, billing_telephone_1, billing_telephone_2, billing_fax, shipping_firstname, shipping_lastname, shipping_company, shipping_tax_id_number, shipping_city, shipping_street, shipping_street_2, shipping_postcode, shipping_telephone_1, shipping_telephone_2, shipping_fax in shopping-cart/checkout/; search_by in admin/AddressesList.php; address_id, address_name, firstname, lastname, street, city, postcode, email in admin/AddressEdit.php; post_id, rel_type in admin/AssignedCategoriesList.php; and post_type in admin/CustomFieldsList.php. An attacker can inject arbitrary web script or HTML that is stored and later executed in the context of the victim's browser. [1]
Exploitation
An attacker does not need authentication to exploit the checkout parameters, as they are part of the public checkout form. For admin page parameters, the attacker would need to trick an authenticated administrator into submitting crafted input, possibly via a CSRF attack. The attacker can simply submit a malicious payload in any of the listed fields. The injected script is stored on the server and executed when an administrator or other user views the affected page (e.g., order details or address lists). [1]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the WordPress admin or frontend, leading to session hijacking, defacement, or theft of sensitive information such as cookies and authentication tokens. The impact is limited to the privileges of the victim user; however, if an administrator is targeted, the attacker could potentially gain full control of the WordPress installation. [1]
Mitigation
The vulnerability was fixed in version 1.3.9.3 of the plugin. However, as of October 5, 2021, the plugin has been closed and removed from the WordPress.org plugin directory due to a security issue, and no patched version is available for download. Users who have the plugin installed should uninstall it immediately and migrate to an alternative eCommerce solution. [2][3]
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0thecartpressThis plugin has been removed from the WordPress.org directory on 2021-10-05 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- wordpress.org/plugins/thecartpress/changelog/nvdPatch
- packetstormsecurity.com/files/131673/WordPress-TheCartPress-1.3.9-XSS-Local-File-Inclusion.htmlnvdExploit
- www.exploit-db.com/exploits/36860/nvdExploit
- www.htbridge.com/advisory/HTB23254nvdExploit
- osvdb.org/show/osvdb/121438nvd
- osvdb.org/show/osvdb/121469nvd
- osvdb.org/show/osvdb/121470nvd
- osvdb.org/show/osvdb/121471nvd
- osvdb.org/show/osvdb/121472nvd
- www.securityfocus.com/archive/1/535396/100/0/threadednvd
- www.securityfocus.com/bid/74395nvd
News mentions
0No linked articles in our index yet.