CVE-2015-3300

Exploit

EPSS 5.02%
Veröffentlicht 14.05.2015 14:59:08
Zuletzt bearbeitet 12.04.2025 10:46:40
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

TheCartPress eCommerce Shopping Cart <= 1.5.3.6 - Multiple Cross-Site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allow remote attackers to inject arbitrary web script or HTML via the (1) billing_firstname, (2) billing_lastname, (3) billing_company, (4) billing_tax_id_number, (5) billing_city, (6) billing_street, (7) billing_street_2, (8) billing_postcode, (9) billing_telephone_1, (10) billing_telephone_2, (11) billing_fax, (12) shipping_firstname, (13) shipping_lastname, (14) shipping_company, (15) shipping_tax_id_number, (16) shipping_city, (17) shipping_street, (18) shipping_street_2, (19) shipping_postcode, (20) shipping_telephone_1, (21) shipping_telephone_2, or (22) shipping_fax parameter to shopping-cart/checkout/; the (23) search_by parameter in the admin/AddressesList.php page to wp-admin/admin.php; the (24) address_id, (25) address_name, (26) firstname, (27) lastname, (28) street, (29) city, (30) postcode, or (31) email parameter in the admin/AddressEdit.php page to wp-admin/admin.php; the (32) post_id or (33) rel_type parameter in the admin/AssignedCategoriesList.php page to wp-admin/admin.php; or the (34) post_type parameter in the admin/CustomFieldsList.php page to wp-admin/admin.php.

Mögliche Gegenmaßnahme

TheCartPress eCommerce Shopping Cart: No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 15

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt TheCartPress eCommerce Shopping Cart

Version *-1.5.3.6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Thecartpress ≫ Thecartpress Ecommerce Shopping Cart SwPlatformwordpress Version <= 1.3.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	5.02%	0.894

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://osvdb.org/show/osvdb/121438

http://osvdb.org/show/osvdb/121469

http://osvdb.org/show/osvdb/121470

http://osvdb.org/show/osvdb/121471

http://osvdb.org/show/osvdb/121472

http://packetstormsecurity.com/files/131673/WordPress-TheCartPress-1.3.9-XSS-Local-File-Inclusion.html

Exploit

http://www.securityfocus.com/archive/1/535396/100/0/threaded

http://www.securityfocus.com/bid/74395

https://wordpress.org/plugins/thecartpress/changelog/

Patch

https://www.exploit-db.com/exploits/36860/