cbcvebase.
CVE-2015-3302
published 2017-12-29

CVE-2015-3302: The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to…

PriorityP265high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
21.67%
97.3th percentile
The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to obtain sensitive order detail information by leveraging a "broken authentication mechanism."

Affected

1 ranges
VendorProductVersion rangeFixed in
thecartpressthecartpress_ecommerce_shopping_cart<= 1.3.9

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_order
urlhttp://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]
path/wp-admin/admin-ajax.php
path/wp-admin/admin.php?page=thecartpress/admin/OrdersListTable.php
  • Sequential order ID enumeration: alert on rapid sequential GET requests to admin-ajax.php?action=tcp_print_order with incrementing order_id values from the same source IP, indicating automated order harvesting.
  • Detect the two-step exploitation pattern: a request to /shopping-cart/checkout/?tcp_checkout=ok followed immediately by a request to /wp-admin/admin-ajax.php?action=tcp_print_order with the same order_id from the same unauthenticated client.
  • ·The vulnerable plugin (TheCartPress <= 1.3.9) has been officially abandoned by the vendor as of June 1, 2015. Any detection should treat its mere presence as a high-risk finding regardless of exploitation attempts.
  • ·The order_id parameter is a simple auto-incremented integer, meaning there is no token or secret required to enumerate all historical orders — detection thresholds should be set low (e.g., 3+ sequential order_id requests from one IP).

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.