Unrated severityNVD Advisory· Published May 14, 2015· Updated May 6, 2026

CVE-2015-3986

Description

Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators for requests that conduct directory traversal attacks via the tcp_box_path parameter in the checkout_editor_settings page to wp-admin/admin.php.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/131673/WordPress-TheCartPress-1.3.9-XSS-Local-File-Inclusion.htmlnvdExploit
www.exploit-db.com/exploits/36860/nvdExploit
www.htbridge.com/advisory/HTB23254nvdExploit
www.securityfocus.com/archive/1/535396/100/0/threadednvd
www.securityfocus.com/bid/74395nvd
wordpress.org/plugins/thecartpress/changelog/nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000