CVE-2022-3946

CWE-352Cross-Site Request Forgery (CSRF)CWE-862Missing Authorization3 documents3 sources
Severity
6.5MEDIUM
EPSS
0.1%
top 64.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Welcart E-commerceWelcart Welcart E-commerce
Timeline
PublishedDec 12

Description

The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5unknown/welcart_e-commerce< 2.8.4

🔴Vulnerability Details

2
GHSA
GHSA-jqx9-j9f6-5vqg: The Welcart e-Commerce WordPress plugin before 22022-12-12
CVEList
Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion2022-12-12
CVE-2022-3946 (MEDIUM CVSS 6.5) | The Welcart e-Commerce WordPress pl | cvebase.io