High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in TheCartPress WordPress plugin, which can be exploited to execute arbitrary PHP code, disclose sensitive data, and perform Cross-Site Scripting attacks against users of WordPress installations with the vulnerable plugin.
Currently there is no official solution for this vulnerability. According to the vendor the plugin support for TheCartPress will end on June 1, 2015: http://thecartpress.com/extend/important-note-nota-importante/
We recommend disabling or removing the vulnerable plugin.