CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27130
https://notcve.org/view.php?id=CVE-2025-27130
01 Apr 2025 — Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product. • https://www.welcart.com/archives/23868.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-0511 – Welcart e-Commerce <= 2.11.9 - Unauthenticated Stored Cross-Site Scripting via name Parameter
https://notcve.org/view.php?id=CVE-2025-0511
11 Feb 2025 — The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://plugins.trac.wordpress.org/browser/usc-e-shop/trunk/functions/settlement_func.php#L612 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45366
https://notcve.org/view.php?id=CVE-2024-45366
18 Sep 2024 — Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser. • https://www.welcart.com/archives/22581.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42404 – Welcart e-Commerce <= 2.11.1 - Authenticated (Admin+) SQL Injection
https://notcve.org/view.php?id=CVE-2024-42404
18 Sep 2024 — SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the information stored in the database. The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.11.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to... • https://www.welcart.com/archives/22581.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-50847 – WordPress Welcart e-Commerce Plugin <= 2.9.3 is vulnerable to SQL Injection
https://notcve.org/view.php?id=CVE-2023-50847
21 Dec 2023 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ("Inyección SQL") en Collne Inc. Welcart e-Commerce. Este problema afecta a Welcart e-Commerce: desde n/a hasta 2.9.3. • https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-9-3-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-6120 – Welcart e-Commerce <= 2.9.6 - Authenticated (Administrator+) Directory Traversal
https://notcve.org/view.php?id=CVE-2023-6120
08 Dec 2023 — The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server. El complemento Welcart e-Commerce para WordPress es vulnerable a Directory Traversal en todas las versiones hasta la 2.9.6 incluida a través de la función upload_certificate_file. Esto hace posible que los administradores carguen archiv... • https://plugins.trac.wordpress.org/changeset/2992785/usc-e-shop/trunk/classes/paymentPaygent.class.php?contextall=1&old=2880236&old_path=%2Fusc-e-shop%2Ftrunk%2Fclasses%2FpaymentPaygent.class.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5953 – Welcart e-Commerce < 2.9.5 - Subscriber+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5953
14 Nov 2023 — The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server El complemento Welcart e-Commerce de WordPress anterior a 2.9.5 no valida los archivos que se van a cargar, además de que no tiene autorización ni CSRF en una acción AJAX que maneje dicha carga. Como resultado, cualqui... • https://wpscan.com/vulnerability/6d29ba12-f14a-4cee-baae-a6049d83bce6 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43614
https://notcve.org/view.php?id=CVE-2023-43614
26 Sep 2023 — Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de edición de datos de pedidos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite que un atacante remoto no autenticado inyecte un script arbitrario. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43484
https://notcve.org/view.php?id=CVE-2023-43484
26 Sep 2023 — Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. Vulnerabilidad de Cross-Site Scripting (XSS) en la página Lista de elementos de Welcart e-Commerce versiones 2.7 a 2.8.21 permite que un atacante remoto no autenticado inyecte un script arbitrario. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41962
https://notcve.org/view.php?id=CVE-2023-41962
26 Sep 2023 — Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script in the page. Vulnerabilidad de Cross-Site Scripting (XSS) en la página de configuración de pago con tarjeta de crédito de las versiones 2.7 a 2.8.21 de Welcart e-Commerce, permite a un atacante remoto no autenticado inyectar un script arbitrario en la página. • https://jvn.jp/en/jp/JVN97197972 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •