Uscnanbu Welcart E-Commerce vulnerabilities

CVE-2025-12979 [MEDIUM] CWE-862 CVE-2025-12979: The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a mi The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials (ex. PayPal api secret) , as well as business contact deta

CVE-2025-10651 [MEDIUM] CWE-79 CVE-2025-10651: The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'or The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above,

CVE-2025-10649 [MEDIUM] CWE-89 CVE-2025-10649: The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all ver The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append

CVE-2025-9367 [MEDIUM] CWE-79 CVE-2025-9367: The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via setting The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will ex

CVE-2025-0511 [MEDIUM] CWE-79 CVE-2025-0511: The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘na The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesse

CVE-2023-6120 [LOW] CWE-22 CVE-2023-6120: The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.

CVE-2021-4375 [MEDIUM] CWE-862 CVE-2021-4375: The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing c The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download information including WordPress settings, plugin settings, PHP settings and serve

CVE-2021-4355 [MEDIUM] CWE-862 CVE-2021-4355: The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing cap The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of me