Welcart E Commerce

welcart_e-commerce

Vendor: Welcart • 36 CVEs

CVEs (36)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-47511 1Welcart 1Welcart E Commerce Apr 23, 2026 Jun 9, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Path Traversal.This issue affects Welcart e-Commerce: from n/a through <=...Show more Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Path Traversal.This issue affects Welcart e-Commerce: from n/a through <= 2.11.13.Show less
CVE-2025-27130 1Welcart 1Welcart E Commerce Jul 8, 2025 Apr 1, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can acc...Show more Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product.Show less
CVE-2025-0511 1Welcart 1Welcart E Commerce Feb 20, 2025 Feb 12, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. T...Show more The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2024-45366 1Welcart 1Welcart E Commerce Jul 10, 2025 Sep 18, 2024 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser.
CVE-2024-42404 1Welcart 1Welcart E Commerce Jul 10, 2025 Sep 18, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the information stored in the database.
CVE-2024-32144 1Welcart 1Welcart E Commerce Nov 21, 2024 Jun 11, 2024 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Missing Authorization vulnerability in Welcart Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.14.
CVE-2023-50847 1Welcart 1Welcart E Commerce Apr 28, 2026 Dec 28, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3.
CVE-2023-6120 1Welcart 1Welcart E Commerce Apr 8, 2026 Dec 9, 2023 N/A· v4 2.7 LOW· v3 N/A· v2 The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload ....Show more The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.Show less
CVE-2023-5953 1Welcart 1Welcart E Commerce May 29, 2025 Dec 4, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, s...Show more The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the serverShow less
CVE-2023-5952 1Welcart 1Welcart E Commerce Feb 20, 2025 Dec 4, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog
CVE-2023-5951 1Welcart 1Welcart E Commerce Feb 20, 2025 Dec 4, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege...Show more The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adminShow less
CVE-2023-43614 1Welcart 1Welcart E Commerce Feb 20, 2025 Sep 27, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.
CVE-2023-43610 1Welcart 1Welcart E Commerce Feb 20, 2025 Sep 27, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 SQL injection vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor (without setting authority) or higher privilege to perform unintended database operations.
CVE-2023-43493 1Welcart 1Welcart E Commerce Feb 20, 2025 Sep 27, 2023 N/A· v4 4.9 MEDIUM· v3 N/A· v2 SQL injection vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to obtain sensitive information.
CVE-2023-43484 1Welcart 1Welcart E Commerce Feb 20, 2025 Sep 27, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.
CVE-2023-41962 1Welcart 1Welcart E Commerce Feb 20, 2025 Sep 27, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script in the page.
CVE-2023-41233 1Welcart 1Welcart E Commerce Feb 20, 2025 Sep 27, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.
CVE-2023-40219 1Welcart 1Welcart E Commerce Feb 20, 2025 Sep 27, 2023 N/A· v4 7.2 HIGH· v3 N/A· v2 Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor or higher privilege to upload an arbitrary file to an unauthorized directory.
CVE-2021-4375 1Welcart 1Welcart E Commerce Apr 8, 2026 Jun 7, 2023 N/A· v4 4.3 MEDIUM· v3 N/A· v2 The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes...Show more The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download information including WordPress settings, plugin settings, PHP settings and server settings.Show less
CVE-2021-4355 1Welcart 1Welcart E Commerce Apr 8, 2026 Jun 7, 2023 N/A· v4 5.3 MEDIUM· v3 N/A· v2 The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via a...Show more The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders.Show less

12 Next