Filtered by vendor Welcart
Subscriptions
Filtered by product Welcart E-commerce
Subscriptions
Total
32 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-0511 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 7.2 High |
| The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2022-41840 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 7.5 High |
| Unauth. Directory Traversal vulnerability in Welcart eCommerce plugin <= 2.7.7 on WordPress. | ||||
| CVE-2016-4828 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 6.5 Medium |
| The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account. | ||||
| CVE-2022-4140 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 7.5 High |
| The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server | ||||
| CVE-2023-41233 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 6.1 Medium |
| Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. | ||||
| CVE-2023-43484 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 6.1 Medium |
| Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. | ||||
| CVE-2023-43610 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 8.8 High |
| SQL injection vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor (without setting authority) or higher privilege to perform unintended database operations. | ||||
| CVE-2023-43614 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 6.1 Medium |
| Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. | ||||
| CVE-2021-4355 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 7.5 High |
| The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders. | ||||
| CVE-2016-4827 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826. | ||||
| CVE-2023-22705 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 7.1 High |
| Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Collne Inc. Welcart e-Commerce plugin <= 2.8.10 versions. | ||||
| CVE-2023-40219 | 2 Coline, Welcart | 2 Welcart E-commerce, Welcart E-commerce | 2025-02-20 | 7.2 High |
| Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor or higher privilege to upload an arbitrary file to an unauthorized directory. | ||||
| CVE-2023-41962 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 6.1 Medium |
| Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script in the page. | ||||
| CVE-2023-43493 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 4.9 Medium |
| SQL injection vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to obtain sensitive information. | ||||
| CVE-2023-50847 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3. | ||||
| CVE-2016-4826 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 6.1 Medium |
| Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827. | ||||
| CVE-2023-5953 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 8.8 High |
| The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server | ||||
| CVE-2023-6120 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 4.1 Medium |
| The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server. | ||||
| CVE-2016-4825 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 5.6 Medium |
| The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data. | ||||
| CVE-2020-28339 | 1 Welcart | 1 Welcart E-commerce | 2025-02-20 | 7.5 High |
| The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. There is not a complete POP chain. | ||||