Vulnerabilities and security researches forecwid-shopping-cart ecwid-shopping-cart

Jun 07, 2024

CVE, Research URL: CVE-2022-2432
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: Sep 06, 2022
Research Description: The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.10.23. This is due to missing or incorrect nonce validation on the ecwid_update_plugin_params function. This makes it possible for unauthenticated attackers to update plugin options granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: b5f03bb31775ebf4a4d37748a05c7b6ea2a5ffb4
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: Aug 08, 2016
Research Description: Ecwid by Lightspeed Ecommerce Shopping Cart [ecwid-shopping-cart] < 4.4.4 WordPress Ecwid Shopping Cart Plugin <= 4.4.3 - Unauthenticated PHP Object Injection Because of this vulnerability, attackers can execute arbitrary PHP code. Update the plugin.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-24408
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: May 08, 2023
Research Description: Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart plugin <= 6.11.4 versions.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-24377
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: Feb 14, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart plugin <= 6.11.3 versions.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-51533
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: Feb 29, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Ecwid Ecommerce Ecwid Ecommerce Shopping Cart.This issue affects Ecwid Ecommerce Shopping Cart: from n/a through 6.12.4.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-6292
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: Jan 16, 2024
Research Description: The Ecwid Ecommerce Shopping Cart WordPress plugin before 6.12.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2024-2456
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: Apr 10, 2024
Research Description: The Ecwid Ecommerce Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 6.12.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Feb 18, 2025

CVE, Research URL: CVE-2024-13795
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: Feb 18, 2025
Research Description: The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.12.27. This is due to missing or incorrect nonce validation on the ecwid_deactivate_feedback() function. This makes it possible for unauthenticated attackers to send deactivation messages on behalf of a site owner via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Apr 05, 2025

CVE, Research URL: CVE-2025-32195
Home page URL: Security reports for Ecwid Ecommerce Shopping Cart
Application: Ecwid Ecommerce Shopping Cart
Date: Apr 04, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart allows Stored XSS. This issue affects Ecwid Shopping Cart: from n/a through 7.0.
Affected versions: Min -, max -.
Status: vulnerable