CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50847 – WordPress Welcart e-Commerce Plugin <= 2.9.3 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-50847
21 Dec 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en Collne Inc. Welcart e-Commerce. Este problema afecta a Welcart e-Commerce: desde n/a hasta 2.9.3. • https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-9-3-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6120 – Welcart e-Commerce <= 2.9.6 - Authenticated (Administrator+) Directory Traversal
https://notcve.org/view.php?id=CVE-2023-6120
08 Dec 2023 — The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server. El complemento Welcart e-Commerce para WordPress es vulnerable a Directory Traversal en todas las versiones hasta la 2.9.6 incluida a través de la función upload_certificate_file. Esto hace posible que los administradores carguen archiv... • https://plugins.trac.wordpress.org/changeset/2992785/usc-e-shop/trunk/classes/paymentPaygent.class.php?contextall=1&old=2880236&old_path=%2Fusc-e-shop%2Ftrunk%2Fclasses%2FpaymentPaygent.class.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5953 – Welcart e-Commerce < 2.9.5 - Subscriber+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5953
14 Nov 2023 — The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server El complemento Welcart e-Commerce de WordPress anterior a 2.9.5 no valida los archivos que se van a cargar, además de que no tiene autorización ni CSRF en una acción AJAX que maneje dicha carga. Como resultado, cualqui... • https://wpscan.com/vulnerability/6d29ba12-f14a-4cee-baae-a6049d83bce6 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43614
https://notcve.org/view.php?id=CVE-2023-43614
26 Sep 2023 — Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de edición de datos de pedidos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite que un atacante remoto no autenticado inyecte un script arbitrario. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43484
https://notcve.org/view.php?id=CVE-2023-43484
26 Sep 2023 — Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. Vulnerabilidad de Cross-Site Scripting (XSS) en la página Lista de elementos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite que un atacante remoto no autenticado inyecte un script arbitrario. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41962
https://notcve.org/view.php?id=CVE-2023-41962
26 Sep 2023 — Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script in the page. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de configuración de pago con tarjeta de crédito de las versiones 2.7 a 2.8.21 de Welcart e-Commerce, permite a un atacante remoto no autenticado inyectar un script arbitrario en la página. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41233
https://notcve.org/view.php?id=CVE-2023-41233
26 Sep 2023 — Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. Vulnerabilidad de Cross-Site Scripting (XSS) en el proceso de registro de la página Lista de elementos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite que un atacante remoto no autenticado inyecte un script arbitrario. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40219 – Welcart e-Commerce <= 2.8.21 - Authenticated(Editor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-40219
26 Sep 2023 — Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor or higher privilege to upload an arbitrary file to an unauthorized directory. Las versiones 2.7 a 2.8.21 de Welcart e-Commerce permiten a un usuario con privilegios de editor o superiores cargar un archivo arbitrario en un directorio no autorizado. The Welcart e-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_mail_page() function in versions up to, and including, 2.8.21.... • https://jvn.jp/en/jp/JVN97197972 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43493 – Welcart e-Commerce <= 2.8.21 - Authenticated(level_5+) SQL Injection via get_logs
https://notcve.org/view.php?id=CVE-2023-43493
14 Sep 2023 — SQL injection vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to obtain sensitive information. Vulnerabilidad de inyección SQL en la página Lista de Elementos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite a un usuario con privilegios de autor o superiores obtener información sensible. The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via multiple parameters in the 'get_logs' functionality in versions u... • https://jvn.jp/en/jp/JVN97197972 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43610 – Welcart e-Commerce <= 2.8.21 - Authenticated(Editor+) SQL Injection
https://notcve.org/view.php?id=CVE-2023-43610
14 Sep 2023 — SQL injection vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor (without setting authority) or higher privilege to perform unintended database operations. Vulnerabilidad de inyección SQL en la página de edición de datos de pedidos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite a un usuario editor (sin autoridad para configurar) o con privilegios superiores realizar operaciones de base de datos no deseadas. The Welcart e-Commerce plugin for Wor... • https://jvn.jp/en/jp/JVN97197972 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •