ByteOS Network

NVD Vulnerability Details :

CVE-2015-3300

Deferred

Source-cve@mitre.org

Published At-14 May, 2015 | 14:59

Updated At-12 Apr, 2025 | 10:46

Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via the (1) billing_firstname, (2) billing_lastname, (3) billing_company, (4) billing_tax_id_number, (5) billing_city, (6) billing_street, (7) billing_street_2, (8) billing_postcode, (9) billing_telephone_1, (10) billing_telephone_2, (11) billing_fax, (12) shipping_firstname, (13) shipping_lastname, (14) shipping_company, (15) shipping_tax_id_number, (16) shipping_city, (17) shipping_street, (18) shipping_street_2, (19) shipping_postcode, (20) shipping_telephone_1, (21) shipping_telephone_2, or (22) shipping_fax parameter to shopping-cart/checkout/; the (23) search_by parameter in the admin/AddressesList.php page to wp-admin/admin.php; the (24) address_id, (25) address_name, (26) firstname, (27) lastname, (28) street, (29) city, (30) postcode, or (31) email parameter in the admin/AddressEdit.php page to wp-admin/admin.php; the (32) post_id or (33) rel_type parameter in the admin/AssignedCategoriesList.php page to wp-admin/admin.php; or the (34) post_type parameter in the admin/CustomFieldsList.php page to wp-admin/admin.php.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	2.0	4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N

Type: Primary

Version: 2.0

Base score: 4.3

Base severity: MEDIUM

Vector:

AV:N/AC:M/Au:N/C:N/I:P/A:N

CPE Matches

thecartpress>>thecartpress_ecommerce_shopping_cart>>Versions up to 1.3.9(inclusive)

cpe:2.3:a:thecartpress:thecartpress_ecommerce_shopping_cart:*:*:*:*:*:wordpress:*:*

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	nvd@nist.gov

CWE ID: CWE-79

Type: Primary

Source: nvd@nist.gov

References

Hyperlink	Source	Resource
http://osvdb.org/show/osvdb/121438	cve@mitre.org	N/A
http://osvdb.org/show/osvdb/121469	cve@mitre.org	N/A
http://osvdb.org/show/osvdb/121470	cve@mitre.org	N/A
http://osvdb.org/show/osvdb/121471	cve@mitre.org	N/A
http://osvdb.org/show/osvdb/121472	cve@mitre.org	N/A
http://packetstormsecurity.com/files/131673/WordPress-TheCartPress-1.3.9-XSS-Local-File-Inclusion.html	cve@mitre.org	Exploit
http://www.securityfocus.com/archive/1/535396/100/0/threaded	cve@mitre.org	N/A
http://www.securityfocus.com/bid/74395	cve@mitre.org	N/A
https://wordpress.org/plugins/thecartpress/changelog/	cve@mitre.org	Patch
https://www.exploit-db.com/exploits/36860/	cve@mitre.org	Exploit
https://www.htbridge.com/advisory/HTB23254	cve@mitre.org	Exploit
http://osvdb.org/show/osvdb/121438	af854a3a-2127-422b-91ae-364da2661108	N/A
http://osvdb.org/show/osvdb/121469	af854a3a-2127-422b-91ae-364da2661108	N/A
http://osvdb.org/show/osvdb/121470	af854a3a-2127-422b-91ae-364da2661108	N/A
http://osvdb.org/show/osvdb/121471	af854a3a-2127-422b-91ae-364da2661108	N/A
http://osvdb.org/show/osvdb/121472	af854a3a-2127-422b-91ae-364da2661108	N/A
http://packetstormsecurity.com/files/131673/WordPress-TheCartPress-1.3.9-XSS-Local-File-Inclusion.html	af854a3a-2127-422b-91ae-364da2661108	Exploit
http://www.securityfocus.com/archive/1/535396/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108	N/A
http://www.securityfocus.com/bid/74395	af854a3a-2127-422b-91ae-364da2661108	N/A
https://wordpress.org/plugins/thecartpress/changelog/	af854a3a-2127-422b-91ae-364da2661108	Patch
https://www.exploit-db.com/exploits/36860/	af854a3a-2127-422b-91ae-364da2661108	Exploit
https://www.htbridge.com/advisory/HTB23254	af854a3a-2127-422b-91ae-364da2661108	Exploit