TheCartPress has over 5k Active installations
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin.
There are not only one vulnerability but multiple vulnerabilities.
Vulnerabilities
Local PHP File Inclusion in TheCartPress WordPress plugin: CVE-2015-3301
In order to successfully exploit the vulnerability an attacker needs to have administrator privileges on WordPress installation, however this can be also exploited via CSRF vector to which the script is vulnerable as well.
Multiple XSS in TheCartPress WordPress plugin (against administrator only): CVE-2015-3300
A remote attacker can trick logged-in administrator to open a specially crafted link and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Improper Access Control in TheCartPress WordPress plugin: CVE-2015-3302
…the order ID can be easily predicted, as every new order ID is an incremented value of the previous one. This enables non-authenticated remote attacker to steal all currently-existing orders.
Stored XSS in TheCartPress WordPress plugin: CVE-2015-3300
During the checkout process, many user-supplied HTTP POST parameters (see complete list in PoC)in “Shipping address” and “Billing address” sections are not being sanitized before being stored in the local database.
TheCartPress have posted that they will no long support the plugin and no updates will be made.
Important Note
After 5 years, support for TheCartPress will end on June 1, 2015.
Thank you very much for these years of trust and hard work.
Since there will be no patches, administrators are advised to disable the plugin.
Original Post by SecurityFocus.
