WordPress TheCartPress plugin version 1.3.9 suffers from local file inclusion, improper access control, and cross site scripting vulnerabilities.