Vulnerabilities and security researches forusc-e-shop usc-e-shop

Direction: ascending

Jun 07, 2024

Welcart e-Commerce # CVE-2020-28339

CVE, Research URL: CVE-2020-28339
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Nov 08, 2020
Research Description: The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. There is not a complete POP chain.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2012-5177

CVE, Research URL: CVE-2012-5177
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 19, 2012
Research Description: Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2015-7791

CVE, Research URL: CVE-2015-7791
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 30, 2015
Research Description: Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2016-4825

CVE, Research URL: CVE-2016-4825
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jun 26, 2016
Research Description: The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2016-4826

CVE, Research URL: CVE-2016-4826
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jun 26, 2016
Research Description: Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2016-4828

CVE, Research URL: CVE-2016-4828
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jun 26, 2016
Research Description: The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2016-4827

CVE, Research URL: CVE-2016-4827
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jun 26, 2016
Research Description: Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2022-3935

CVE, Research URL: CVE-2022-3935
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 12, 2022
Research Description: The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2015-2973

CVE, Research URL: CVE-2015-2973
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jul 24, 2015
Research Description: Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2022-4237

CVE, Research URL: CVE-2022-4237
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jan 03, 2023
Research Description: The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present on the blog
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2014-10016

CVE, Research URL: CVE-2014-10016
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jan 13, 2015
Research Description: Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) unspecified vectors related to purchase_limit or the (2) name, (3) intl, (4) nocod, or (5) time parameter in an add_delivery_method action to wp-admin/admin-ajax.php.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2022-3946

CVE, Research URL: CVE-2022-3946
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 12, 2022
Research Description: The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2022-4140

CVE, Research URL: CVE-2022-4140
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jan 03, 2023
Research Description: The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2014-10017

CVE, Research URL: CVE-2014-10017
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jan 13, 2015
Research Description: Multiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) changeSort or (2) switch parameter in the usces_itemedit page to wp-admin/admin.php.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2012-5178

CVE, Research URL: CVE-2012-5178
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 19, 2012
Research Description: Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2022-41840

CVE, Research URL: CVE-2022-41840
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Nov 19, 2022
Research Description: Unauth. Directory Traversal vulnerability in Welcart eCommerce plugin <= 2.7.7 on WordPress.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2022-4236

CVE, Research URL: CVE-2022-4236
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jan 03, 2023
Research Description: The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2021-4355

CVE, Research URL: CVE-2021-4355
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jun 07, 2023
Research Description: The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2022-4655

CVE, Research URL: CVE-2022-4655
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jan 16, 2023
Research Description: The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2023-22705

CVE, Research URL: CVE-2023-22705
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Mar 30, 2023
Research Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Collne Inc. Welcart e-Commerce plugin <= 2.8.10 versions.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2021-4375

CVE, Research URL: CVE-2021-4375
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jun 07, 2023
Research Description: The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download information including WordPress settings, plugin settings, PHP settings and server settings.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2023-6120

CVE, Research URL: CVE-2023-6120
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 09, 2023
Research Description: The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2023-50847

CVE, Research URL: CVE-2023-50847
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 29, 2023
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2024-32144

CVE, Research URL: CVE-2024-32144
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jun 11, 2024
Research Description: Missing Authorization vulnerability in Welcart Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.14.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2023-40219

CVE, Research URL: CVE-2023-40219
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Sep 27, 2023
Research Description: Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor or higher privilege to upload an arbitrary file to an unauthorized directory.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2023-5952

CVE, Research URL: CVE-2023-5952
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 05, 2023
Research Description: The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2023-5951

CVE, Research URL: CVE-2023-5951
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 05, 2023
Research Description: The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2023-5953

CVE, Research URL: CVE-2023-5953
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Dec 05, 2023
Research Description: The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server
Affected versions: Min -, max -.
Status: vulnerable

Jun 10, 2024

Welcart e-Commerce # CVE-2023-43493

CVE, Research URL: CVE-2023-43493
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: -
Research Description: The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via multiple parameters in the 'get_logs' functionality in versions up to, and including, 2.8.21 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with user level 5 or higher (which corresponds roughly to Author-level capabilities) to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2021-20734

CVE, Research URL: CVE-2021-20734
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: -
Research Description: Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2023-43610

CVE, Research URL: CVE-2023-43610
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: -
Research Description: The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the order data edit page in versions up to, and including, 2.8.21 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions: Min -, max -.
Status: vulnerable

Sep 23, 2024

Welcart e-Commerce # CVE-2024-45366

CVE, Research URL: CVE-2024-45366
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Sep 18, 2024
Research Description: Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser.
Affected versions: Min -, max -.
Status: vulnerable

Welcart e-Commerce # CVE-2024-42404

CVE, Research URL: CVE-2024-42404
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Sep 18, 2024
Research Description: SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the information stored in the database.
Affected versions: Min -, max -.
Status: vulnerable

Feb 13, 2025

Welcart e-Commerce # CVE-2025-0511

CVE, Research URL: CVE-2025-0511
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Feb 12, 2025
Research Description: The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Jul 19, 2025

Welcart e-Commerce # CVE-2025-54013

CVE, Research URL: CVE-2025-54013
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Date: Jul 16, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nanbu Welcart e-Commerce allows Stored XSS. This issue affects Welcart e-Commerce: from n/a through 2.11.16.
Affected versions: Min -, max -.
Status: vulnerable