Welcart

welcart

40 CVEs • 3 products

Products (3)

Click to collapse

Toggle

CVEs (40)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-22705 1Welcart 1Welcart E Commerce Feb 20, 2025 Mar 29, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Collne Inc. Welcart e-Commerce plugin <= 2.8.10 versions.
CVE-2022-4655 1Welcart 1Welcart E Commerce Apr 4, 2025 Jan 16, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting att...Show more The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.Show less
CVE-2022-4237 1Welcart 1Welcart E Commerce Apr 10, 2025 Jan 2, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a ro...Show more The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present on the blogShow less
CVE-2022-4236 1Welcart 1Welcart E Commerce Apr 10, 2025 Jan 2, 2023 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a ro...Show more The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.Show less
CVE-2022-4140 1Welcart 1Welcart E Commerce Apr 10, 2025 Jan 2, 2023 N/A· v4 7.5 HIGH· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server
CVE-2022-3946 1Welcart 1Welcart E Commerce Apr 22, 2025 Dec 12, 2022 N/A· v4 6.5 MEDIUM· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.
CVE-2022-3935 1Welcart 1Welcart E Commerce Apr 22, 2025 Dec 12, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks
CVE-2022-41840 1Welcart 1Welcart E Commerce Feb 20, 2025 Nov 18, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Unauth. Directory Traversal vulnerability in Welcart eCommerce plugin <= 2.7.7 on WordPress.
CVE-2021-20734 1Welcart 1Welcart E Commerce Feb 20, 2025 Jun 22, 2021 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2020-28339 1Welcart 1Welcart E Commerce Feb 20, 2025 Nov 7, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. There is not a complete POP chain.
CVE-2016-4828 1Welcart 1Welcart E Commerce May 6, 2026 Jun 25, 2016 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account.
CVE-2016-4827 1Welcart 1Welcart E Commerce May 6, 2026 Jun 25, 2016 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerabilit...Show more Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826.Show less
CVE-2016-4826 1Welcart 1Welcart E Commerce May 6, 2026 Jun 25, 2016 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerabilit...Show more Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827.Show less
CVE-2016-4825 1Welcart 1Welcart E Commerce May 6, 2026 Jun 25, 2016 N/A· v4 5.6 MEDIUM· v3 6.8 MEDIUM· v2 The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data.
CVE-2015-7791 1Welcart 1Welcart E Commerce May 6, 2026 Dec 29, 2015 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch para...Show more Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter.Show less
CVE-2015-2973 1Welcart 1Welcart E Commerce May 6, 2026 Jul 24, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop....Show more Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php.Show less
CVE-2014-10017 1Welcart 1E Commerce May 6, 2026 Jan 13, 2015 N/A· v4 N/A· v3 7.5 HIGH· v2 Multiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) changeSort or (2) switch parameter in the usces_itemedit p...Show more Multiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) changeSort or (2) switch parameter in the usces_itemedit page to wp-admin/admin.php.Show less
CVE-2014-10016 1Welcart 1E Commerce May 6, 2026 Jan 13, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) unspecified vectors related to purchase_limi...Show more Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) unspecified vectors related to purchase_limit or the (2) name, (3) intl, (4) nocod, or (5) time parameter in an add_delivery_method action to wp-admin/admin-ajax.php.Show less
CVE-2012-5178 1Welcart 1Welcart Plugin Apr 29, 2026 Dec 19, 2012 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase.
CVE-2012-5177 1Welcart 1Welcart Plugin Apr 29, 2026 Dec 19, 2012 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Previous 12