cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2024-10726,https://securityvulnerability.io/vulnerability/CVE-2024-10726,Cross-Site Request Forgery Vulnerability Affects Welcart Plugin,"The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.",Wordpress,Friendly Functions For Welcart,6.1,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2024-11-21T02:06:27.940Z,0
CVE-2023-6120,https://securityvulnerability.io/vulnerability/CVE-2023-6120,Directory Traversal Vulnerability in Welcart e-Commerce Plugin for WordPress,"The Welcart e-Commerce plugin for WordPress is affected by a directory traversal vulnerability that allows unauthorized file uploads. Specifically, through the 'upload_certificate_file' function, this vulnerability permits administrators to upload .pem or .crt files to arbitrary locations on the server, potentially leading to serious security risks. All versions up to and including 2.9.6 are impacted, necessitating immediate attention from site administrators.",Wordpress,Welcart E-commerce,2.7,LOW,0.0008500000112690032,false,,false,false,false,,,false,false,,2023-12-09T07:15:00.000Z,0
CVE-2023-5953,https://securityvulnerability.io/vulnerability/CVE-2023-5953,Welcart e-Commerce < 2.9.5 - Subscriber+ Arbitrary File Upload,"The Welcart e-Commerce plugin for WordPress lacks crucial validation for file uploads, allowing authenticated users, such as subscribers, to upload arbitrary files, including potentially malicious PHP scripts. Additionally, the plugin fails to enforce proper authorization and lacks CSRF protection in the AJAX action that handles uploads. This can lead to severe security risks on affected WordPress sites.",Wordpress,Welcart e-Commerce,8.8,HIGH,0.0008399999933317304,false,,false,false,true,2023-12-04T22:15:00.000Z,true,false,false,,2023-12-04T22:15:00.000Z,0
CVE-2023-5952,https://securityvulnerability.io/vulnerability/CVE-2023-5952,Welcart e-Commerce < 2.9.5 - Unauthenticated PHP Object Injection,The Welcart e-Commerce plugin for WordPress prior to version 2.9.5 contains a vulnerability that arises from improper handling of unserialized user input from cookies. This flaw could potentially enable unauthorized users to exploit PHP Object Injection vulnerabilities if other suitable gadgets exist within the affected WordPress environment.,Wordpress,Welcart e-Commerce,9.8,CRITICAL,0.002589999930933118,false,,false,false,true,2023-12-04T22:15:00.000Z,true,false,false,,2023-12-04T22:15:00.000Z,0
CVE-2023-5951,https://securityvulnerability.io/vulnerability/CVE-2023-5951,Welcart e-Commerce < 2.9.5 - Reflected XSS,"The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin",Wordpress,Welcart E-commerce,6.1,MEDIUM,0.0006600000197067857,false,,false,false,true,2023-12-04T22:15:00.000Z,true,false,false,,2023-12-04T22:15:00.000Z,0
CVE-2021-4375,https://securityvulnerability.io/vulnerability/CVE-2021-4375,Authorization Bypass in Welcart e-Commerce Plugin for WordPress,"The Welcart e-Commerce plugin for WordPress contains a vulnerability characterized by an authorization bypass, stemming from a missing capability check in the usces_download_system_information() function. This flaw affects all versions up to and including 2.2.7. As a result, authenticated attackers can exploit this vulnerability to download sensitive information, which includes critical WordPress, plugin, PHP, and server settings. It is crucial for website administrators to apply patches and updates promptly to safeguard against potential exploitation.",Wordpress,Welcart E-commerce,4.3,MEDIUM,0.0008099999977275729,false,,false,false,false,,,false,false,,2023-06-07T01:51:45.653Z,0
CVE-2021-4355,https://securityvulnerability.io/vulnerability/CVE-2021-4355,Authorization Bypass Vulnerability in Welcart e-Commerce Plugin for WordPress,"The Welcart e-Commerce plugin for WordPress suffers from an authorization bypass vulnerability due to inadequate capability checks in key functions. This issue, present in versions up to and including 2.2.7, can allow unauthenticated attackers to access sensitive information, including lists of members, products, and orders, through admin_init hooks. As a result, attackers may exploit this vulnerability to gain unauthorized access to critical data, posing a significant risk to the integrity of the e-commerce platform.",Wordpress,Welcart E-commerce,5.3,MEDIUM,0.0010499999625608325,false,,false,false,false,,,false,false,,2023-06-07T01:51:24.304Z,0
CVE-2022-4655,https://securityvulnerability.io/vulnerability/CVE-2022-4655,Welcart e-Commerce < 2.8.9 - Contributor+ Stored XSS via Shortcode,"The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.",Wordpress,Welcart E-commerce,5.4,MEDIUM,0.000539999979082495,false,,false,false,true,2023-01-16T15:37:55.000Z,true,false,false,,2023-01-16T15:37:55.918Z,0
CVE-2022-4237,https://securityvulnerability.io/vulnerability/CVE-2022-4237,Welcart e-Commerce < 2.8.6 - Subscriber+ PHAR Deserialisation,"The Welcart e-Commerce plugin for WordPress prior to version 2.8.6 contains an input validation flaw that allows authenticated users, even those with minimal permissions, to exploit AJAX actions that do not properly validate user input before executing file_exist() functions. This oversight can facilitate unauthorized PHAR deserialization if an attacker is able to upload a file and trigger the necessary conditions on a compromised blog.",Wordpress,Welcart E-commerce,8.8,HIGH,0.0011399999493733048,false,,false,false,true,2023-01-02T21:49:40.000Z,true,false,false,,2023-01-02T21:49:40.901Z,0
CVE-2022-4236,https://securityvulnerability.io/vulnerability/CVE-2022-4236,Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access,"The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.",Wordpress,Welcart E-commerce,6.5,MEDIUM,0.0008500000112690032,false,,false,false,true,2023-01-02T21:49:30.000Z,true,false,false,,2023-01-02T21:49:30.203Z,0
CVE-2022-4140,https://securityvulnerability.io/vulnerability/CVE-2022-4140,Welcart e-Commerce < 2.8.5 - Unauthenticated Arbitrary File Access,"The Welcart e-Commerce plugin for WordPress, prior to version 2.8.5, contains a vulnerability that arises from insufficient validation of user input. This oversight allows an unauthenticated attacker to potentially read arbitrary files on the server. By manipulating the input, the attacker can gain access to sensitive information that should otherwise be secured, highlighting the importance of input validation in web applications.",Wordpress,Welcart E-commerce,7.5,HIGH,0.023830000311136246,false,,false,false,true,2023-01-02T21:49:12.000Z,true,false,false,,2023-01-02T21:49:12.877Z,0
CVE-2022-3946,https://securityvulnerability.io/vulnerability/CVE-2022-3946,Welcart e-Commerce < 2.8.4 - Subscriber+ Arbitrary Shipping Method Creation/Update/Deletion,"The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.",Wordpress,Welcart E-commerce,6.5,MEDIUM,0.000539999979082495,false,,false,false,true,2022-12-12T17:54:55.000Z,true,false,false,,2022-12-12T17:54:55.841Z,0
CVE-2022-3935,https://securityvulnerability.io/vulnerability/CVE-2022-3935,Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting,"The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks",Wordpress,Welcart E-commerce,5.4,MEDIUM,0.000539999979082495,false,,false,false,true,2022-12-12T17:54:42.000Z,true,false,false,,2022-12-12T17:54:42.174Z,0
CVE-2020-28339,https://securityvulnerability.io/vulnerability/CVE-2020-28339,Object Injection Vulnerability in Collne Welcart e-Commerce Plugin for WordPress,"The Collne Welcart e-Commerce plugin for WordPress contains a vulnerability that allows for object injection through the function usces_unserialize. This security flaw exists due to improper handling of serialized objects, which can lead to potential exploitation risks. Versions prior to 1.9.36 are affected. Users are advised to update to the latest version to mitigate risks associated with this vulnerability.",Wordpress,Welcart E-commerce,8.8,HIGH,0.00203999993391335,false,,false,false,false,,,false,false,,2020-11-07T18:16:33.000Z,0
CVE-2016-4825,https://securityvulnerability.io/vulnerability/CVE-2016-4825,,The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data.,Wordpress,Welcart E-commerce,5.6,MEDIUM,0.003980000037699938,false,,false,false,false,,,false,false,,2016-06-25T21:00:00.000Z,0
CVE-2016-4826,https://securityvulnerability.io/vulnerability/CVE-2016-4826,,"Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827.",Wordpress,Welcart E-commerce,6.1,MEDIUM,0.0010600000387057662,false,,false,false,false,,,false,false,,2016-06-25T21:00:00.000Z,0
CVE-2016-4827,https://securityvulnerability.io/vulnerability/CVE-2016-4827,,"Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826.",Wordpress,Welcart E-commerce,6.1,MEDIUM,0.0010600000387057662,false,,false,false,false,,,false,false,,2016-06-25T21:00:00.000Z,0
CVE-2016-4828,https://securityvulnerability.io/vulnerability/CVE-2016-4828,,"The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account.",Wordpress,Welcart E-commerce,6.5,MEDIUM,0.0019099999917671084,false,,false,false,false,,,false,false,,2016-06-25T21:00:00.000Z,0
CVE-2015-7791,https://securityvulnerability.io/vulnerability/CVE-2015-7791,,Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter.,Wordpress,Welcart,6.3,MEDIUM,0.00279000005684793,false,,false,false,false,,,false,false,,2015-12-29T22:00:00.000Z,0
CVE-2015-2973,https://securityvulnerability.io/vulnerability/CVE-2015-2973,,"Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php.",Wordpress,Welcart,,,0.002529999939724803,false,,false,false,false,,,false,false,,2015-07-24T16:00:00.000Z,0
CVE-2012-5178,https://securityvulnerability.io/vulnerability/CVE-2012-5178,,Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase.,Wordpress,Welcart Plugin,,,0.0015899999998509884,false,,false,false,false,,,false,false,,2012-12-19T11:55:00.000Z,0
CVE-2012-5177,https://securityvulnerability.io/vulnerability/CVE-2012-5177,,Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.,Wordpress,Welcart Plugin,,,0.0019199999514967203,false,,false,false,false,,,false,false,,2012-12-19T11:55:00.000Z,0