CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0511 – Welcart e-Commerce <= 2.11.9 - Unauthenticated Stored Cross-Site Scripting via name Parameter
https://notcve.org/view.php?id=CVE-2025-0511
11 Feb 2025 — The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/usc-e-shop/trunk/functions/settlement_func.php#L612 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50847 – WordPress Welcart e-Commerce Plugin <= 2.9.3 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-50847
21 Dec 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en Collne Inc. Welcart e-Commerce. Este problema afecta a Welcart e-Commerce: desde n/a hasta 2.9.3. • https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-9-3-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6120 – Welcart e-Commerce <= 2.9.6 - Authenticated (Administrator+) Directory Traversal
https://notcve.org/view.php?id=CVE-2023-6120
08 Dec 2023 — The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server. El complemento Welcart e-Commerce para WordPress es vulnerable a Directory Traversal en todas las versiones hasta la 2.9.6 incluida a través de la función upload_certificate_file. Esto hace posible que los administradores carguen archiv... • https://plugins.trac.wordpress.org/changeset/2992785/usc-e-shop/trunk/classes/paymentPaygent.class.php?contextall=1&old=2880236&old_path=%2Fusc-e-shop%2Ftrunk%2Fclasses%2FpaymentPaygent.class.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5953 – Welcart e-Commerce < 2.9.5 - Subscriber+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5953
14 Nov 2023 — The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server El complemento Welcart e-Commerce de WordPress anterior a 2.9.5 no valida los archivos que se van a cargar, además de que no tiene autorización ni CSRF en una acción AJAX que maneje dicha carga. Como resultado, cualqui... • https://wpscan.com/vulnerability/6d29ba12-f14a-4cee-baae-a6049d83bce6 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43614
https://notcve.org/view.php?id=CVE-2023-43614
26 Sep 2023 — Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de edición de datos de pedidos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite que un atacante remoto no autenticado inyecte un script arbitrario. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43484
https://notcve.org/view.php?id=CVE-2023-43484
26 Sep 2023 — Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. Vulnerabilidad de Cross-Site Scripting (XSS) en la página Lista de elementos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite que un atacante remoto no autenticado inyecte un script arbitrario. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41962
https://notcve.org/view.php?id=CVE-2023-41962
26 Sep 2023 — Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script in the page. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de configuración de pago con tarjeta de crédito de las versiones 2.7 a 2.8.21 de Welcart e-Commerce, permite a un atacante remoto no autenticado inyectar un script arbitrario en la página. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41233
https://notcve.org/view.php?id=CVE-2023-41233
26 Sep 2023 — Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. Vulnerabilidad de Cross-Site Scripting (XSS) en el proceso de registro de la página Lista de elementos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite que un atacante remoto no autenticado inyecte un script arbitrario. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40219 – Welcart e-Commerce <= 2.8.21 - Authenticated(Editor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-40219
26 Sep 2023 — Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor or higher privilege to upload an arbitrary file to an unauthorized directory. Las versiones 2.7 a 2.8.21 de Welcart e-Commerce permiten a un usuario con privilegios de editor o superiores cargar un archivo arbitrario en un directorio no autorizado. The Welcart e-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_mail_page() function in versions up to, and including, 2.8.21.... • https://jvn.jp/en/jp/JVN97197972 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43493 – Welcart e-Commerce <= 2.8.21 - Authenticated(level_5+) SQL Injection via get_logs
https://notcve.org/view.php?id=CVE-2023-43493
14 Sep 2023 — SQL injection vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to obtain sensitive information. Vulnerabilidad de inyección SQL en la página Lista de Elementos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite a un usuario con privilegios de autor o superiores obtener información sensible. The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via multiple parameters in the 'get_logs' functionality in versions u... • https://jvn.jp/en/jp/JVN97197972 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •