CVE-2023-6120 — Path Traversal in E-commerce

CWE-22 — Path Traversal4 documents4 sources

Severity

2.7LOWNVD

CNA4.1

EPSS

0.1%

top 68.29%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Welcart E-commerce Uscnanbu Welcart E-commerce

Timeline

PublishedDec 9

Latest updateApr 11

Description

The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages2 packages

▶NVDwelcart/welcart_e-commerce< 2.9.7

▶CVEListV5uscnanbu/welcart_e-commerce2.9.6

🔴Vulnerability Details

VulDB

Welcart e-Commerce Plugin up to 2.9.6 on WordPress path traversal (ID 2992785)↗2026-04-11

▶

CVEList

Welcart e-Commerce <= 2.9.6 - Authenticated (Administrator+) Directory Traversal↗2023-12-09

▶

GHSA

GHSA-5972-9g9g-mf6x: The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2↗2023-12-09

▶