CVE-2022-4655

CWE-79Cross-site Scripting (XSS)CWE-200Information Exposure4 documents4 sources
Severity
5.4MEDIUM
EPSS
0.2%
top 58.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Welcart E-commerceWelcart Welcart E-commerce
Timeline
PublishedJan 16

Description

The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

CVEListV5unknown/welcart_e-commerce< 2.8.9

🔴Vulnerability Details

2
GHSA
GHSA-wvc8-26f6-r55r: The Welcart e-Commerce WordPress plugin before 22023-01-16
CVEList
Welcart e-Commerce < 2.8.9 - Contributor+ Stored XSS via Shortcode2023-01-16

📋Vendor Advisories

1
CISA
Apple iOS Information Disclosure Vulnerability2022-05-24
CVE-2022-4655 (MEDIUM CVSS 5.4) | The Welcart e-Commerce WordPress pl | cvebase.io