Filtered by vendor Welcart
Subscribe
Total
36 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-3946 | 1 Welcart | 1 Welcart E-commerce | 2025-04-22 | N/A | 6.5 MEDIUM |
| The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods. | |||||
| CVE-2022-3935 | 1 Welcart | 1 Welcart E-commerce | 2025-04-22 | N/A | 5.4 MEDIUM |
| The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks | |||||
| CVE-2016-4826 | 1 Welcart | 1 Welcart E-commerce | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827. | |||||
| CVE-2016-4827 | 1 Welcart | 1 Welcart E-commerce | 2025-04-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826. | |||||
| CVE-2016-4828 | 1 Welcart | 1 Welcart E-commerce | 2025-04-12 | 6.4 MEDIUM | 6.5 MEDIUM |
| The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account. | |||||
| CVE-2016-4825 | 1 Welcart | 1 Welcart E-commerce | 2025-04-12 | 6.8 MEDIUM | 5.6 MEDIUM |
| The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data. | |||||
| CVE-2014-10016 | 1 Welcart | 1 E-commerce | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) unspecified vectors related to purchase_limit or the (2) name, (3) intl, (4) nocod, or (5) time parameter in an add_delivery_method action to wp-admin/admin-ajax.php. | |||||
| CVE-2015-2973 | 1 Welcart | 1 Welcart E-commerce | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php. | |||||
| CVE-2015-7791 | 1 Welcart | 1 Welcart E-commerce | 2025-04-12 | 6.5 MEDIUM | 6.3 MEDIUM |
| Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter. | |||||
| CVE-2014-10017 | 1 Welcart | 1 E-commerce | 2025-04-12 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) changeSort or (2) switch parameter in the usces_itemedit page to wp-admin/admin.php. | |||||
| CVE-2012-5178 | 2 Welcart, Wordpress | 2 Welcart Plugin, Wordpress | 2025-04-11 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase. | |||||
| CVE-2012-5177 | 2 Welcart, Wordpress | 2 Welcart Plugin, Wordpress | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2022-4237 | 1 Welcart | 1 Welcart E-commerce | 2025-04-10 | N/A | 8.8 HIGH |
| The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present on the blog | |||||
| CVE-2022-4236 | 1 Welcart | 1 Welcart E-commerce | 2025-04-10 | N/A | 6.5 MEDIUM |
| The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server. | |||||
| CVE-2022-4140 | 1 Welcart | 1 Welcart E-commerce | 2025-04-10 | N/A | 7.5 HIGH |
| The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server | |||||
| CVE-2022-4655 | 1 Welcart | 1 Welcart E-commerce | 2025-04-04 | N/A | 5.4 MEDIUM |
| The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack. | |||||
| CVE-2025-0511 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | N/A | 7.2 HIGH |
| The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2023-43614 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | N/A | 6.1 MEDIUM |
| Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. | |||||
| CVE-2023-6120 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | N/A | 4.1 MEDIUM |
| The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server. | |||||
| CVE-2023-50847 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | N/A | 7.6 HIGH |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3. | |||||