WordPress CartPress Plugin 'tcp_post_ids' Parameter Cross Site Scripting Vulnerability Network Vulnerability

Summary

This host is installed with WordPress CartPress plugin and is prone to cross-site scripting vulnerability.

Impact

Successful exploitation will allow attackers to execute arbitrary web script or HTML in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to WordPress CartPress Plugin 1.1.7 or higher, For updates refer to http://wordpress.org/extend/plugins/thecartpress/download/

Insight

The flaw is due to an input validation error in the 'tcp_post_ids[]' parameter in '/wp-content/plugins/thecartpress/admin/OptionsPostsList.php' when processing user-supplied data.

Affected

WordPress CartPress Plugin version 1.1.6 and prior.

References

http://packetstormsecurity.org/files/108272/wpcartpress-xss.txt

Updated on 2015-03-25

Severity

Classification

CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

@Mail 'MailType' Parameter Cross Site Scripting Vulnerability
Apache Rave User Information Disclosure Vulnerability
An Image Gallery Directory Traversal Vulnerability
An Image Gallery Multiple Cross-Site Scripting Vulnerability
Andy's PHP Knowledgebase Multiple Cross-Site Scripting Vulnerabilities

Take action and discover your vulnerabilities