Welcart E-Commerce vulnerabilities
36 known vulnerabilities affecting welcart/welcart_e-commerce.
Total CVEs
36
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL2HIGH9MEDIUM24LOW1
Vulnerabilities
Page 2 of 2
CVE-2023-43614P4MEDIUMCVSS 6.1≥ 2.7, ≤ 2.8.212023-09-27
CVE-2023-43614 [MEDIUM] CWE-79 CVE-2023-43614: Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8
Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.
nvd
CVE-2023-41233P4MEDIUMCVSS 6.1≥ 2.7, ≤ 2.8.212023-09-27
CVE-2023-41233 [MEDIUM] CWE-79 CVE-2023-41233: Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce vers
Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.
nvd
CVE-2023-41962P4MEDIUMCVSS 6.1≥ 2.7, ≤ 2.8.212023-09-27
CVE-2023-41962 [MEDIUM] CWE-79 CVE-2023-41962: Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions
Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script in the page.
nvd
CVE-2025-0511P4MEDIUMCVSS 6.1fixed in 2.11.102025-02-12
CVE-2025-0511 [MEDIUM] CWE-79 CVE-2025-0511: The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘na
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesse
nvd
CVE-2024-45366P4MEDIUMCVSS 6.1fixed in 2.11.22024-09-18
CVE-2024-45366 [MEDIUM] CWE-79 CVE-2024-45366: Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerabil
Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser.
nvd
CVE-2016-4826P4MEDIUMCVSS 6.1fixed in 1.8.32016-06-25
CVE-2016-4826 [MEDIUM] CWE-79 CVE-2016-4826: Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for Wo
Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827.
nvd
CVE-2016-4827P4MEDIUMCVSS 6.1fixed in 1.8.32016-06-25
CVE-2016-4827 [MEDIUM] CVE-2016-4827: Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for Wo
Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826.
nvd
CVE-2022-4655P4MEDIUMCVSS 5.4fixed in 2.8.92023-01-16
CVE-2022-4655 [MEDIUM] CWE-79 CVE-2022-4655: The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortc
The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.
nvd
CVE-2021-20734P4MEDIUMCVSS 6.1v1.5.22021-06-22
CVE-2021-20734 [MEDIUM] CWE-79 CVE-2021-20734: Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attac
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
nvd
CVE-2022-3935P4MEDIUMCVSS 5.4fixed in 2.8.42022-12-12
CVE-2022-3935 [MEDIUM] CWE-79 CVE-2022-3935: The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, w
The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks
nvd
CVE-2021-4375P4MEDIUMCVSS 4.3≤ 2.2.72023-06-07
CVE-2021-4375 [MEDIUM] CWE-862 CVE-2021-4375: The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing c
The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download information including WordPress settings, plugin settings, PHP settings and serve
nvd
CVE-2023-22705P4MEDIUMCVSS 6.1≤ 2.8.102023-03-29
CVE-2023-22705 [MEDIUM] CWE-79 CVE-2023-22705: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Collne Inc. Welcart e-Commerce plugin
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Collne Inc. Welcart e-Commerce plugin <= 2.8.10 versions.
nvd
CVE-2023-5951P4MEDIUMCVSS 6.1fixed in 2.9.52023-12-04
CVE-2023-5951 [MEDIUM] CWE-79 CVE-2023-5951: The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before
The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
nvd
CVE-2024-32144P4MEDIUMCVSS 4.3fixed in 2.10.02024-06-11
CVE-2024-32144 [MEDIUM] CWE-862 CVE-2024-32144: Missing Authorization vulnerability in Welcart Inc. Welcart e-Commerce.This issue affects Welcart e-
Missing Authorization vulnerability in Welcart Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.14.
nvd
CVE-2015-2973P4MEDIUMCVSS 4.3≤ 1.4.172015-07-24
CVE-2015-2973 [MEDIUM] CWE-79 CVE-2015-2973: Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPres
Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) incl
nvd
CVE-2023-6120P4LOWCVSS 2.7fixed in 2.9.72023-12-09
CVE-2023-6120 [LOW] CWE-22 CVE-2023-6120: The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up
The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.
nvd
← Previous2 / 2