Vulnerabilities and security researches forwp-easycart wp-easycart
Direction: descendingMar 30, 2026
Shopping Cart & eCommerce Store # CVE-2026-32422
- CVE, Research URL
- Home page URL
- Application
- Date
- Mar 14, 2026
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Blind SQL Injection.This issue affects WP EasyCart: from n/a through <= 5.8.13.
- Affected versions
-
max 5.8.13.
- Status
-
vulnerable
Dec 11, 2025
Shopping Cart & eCommerce Store # CVE-2025-62997
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 09, 2025
- Research Description
- Insertion of Sensitive Information Into Sent Data vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Retrieve Embedded Sensitive Data.This issue affects WP EasyCart: from n/a through <= 5.8.11.
- Affected versions
-
max 5.8.11.
- Status
-
vulnerable
Jan 09, 2025
Shopping Cart & eCommerce Store # CVE-2024-12712
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 08, 2025
- Research Description
- The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the webhook function in all versions up to, and including, 5.7.8. This makes it possible for unauthenticated attackers to modify order statuses.
- Affected versions
-
max 5.7.9.
- Status
-
vulnerable
Aug 21, 2024
Shopping Cart & eCommerce Store # CVE-2024-7827
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 20, 2024
- Research Description
- The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to boolean-based SQL Injection via the ‘model_number’ parameter in all versions up to, and including, 5.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 5.7.3.
- Status
-
vulnerable
Jun 07, 2024
Shopping Cart & eCommerce Store # CVE-2021-34645
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 19, 2021
- Research Description
- The Shopping Cart & eCommerce Store WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.1.0.
- Affected versions
-
max 5.1.5.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2014-4942
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 12, 2014
- Research Description
- The EasyCart (wp-easycart) plugin before 2.0.6 for WordPress allows remote attackers to obtain configuration information via a direct request to inc/admin/phpinfo.php, which calls the phpinfo function.
- Affected versions
-
max 5.2.5.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2023-1124
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 03, 2023
- Research Description
- The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.
- Affected versions
-
max 5.4.3.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2014-9308
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 15, 2015
- Research Description
- Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.
- Affected versions
-
max 3.0.16.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2023-2896
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2023
- Research Description
- The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_duplicate_product function. This makes it possible for unauthenticated attackers to duplicate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 5.4.9.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2023-2893
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2023
- Research Description
- The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_deactivate_product function. This makes it possible for unauthenticated attackers to deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 5.4.9.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2023-2895
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2023
- Research Description
- The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_activate_product function. This makes it possible for unauthenticated attackers to bulk activate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 5.4.9.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2023-2894
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2023
- Research Description
- The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_deactivate_product function. This makes it possible for unauthenticated attackers to bulk deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 5.4.9.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2023-2892
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2023
- Research Description
- The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_delete_product function. This makes it possible for unauthenticated attackers to bulk delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 5.4.9.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2015-2673
- CVE, Research URL
- Home page URL
- Application
- Date
- Oct 07, 2017
- Research Description
- The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters.
- Affected versions
-
Min 1.1.30, max 3.0.20.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2024-32452
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 15, 2024
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in WP EasyCart.This issue affects WP EasyCart: from n/a through 5.5.19.
- Affected versions
-
max 5.6.0.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2023-2891
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2023
- Research Description
- The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_delete_product function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- Affected versions
-
max 5.4.9.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2024-3211
- CVE, Research URL
- Home page URL
- Application
- Date
- Apr 12, 2024
- Research Description
- The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to SQL Injection via the 'productid' attribute of the ec_addtocart shortcode in all versions up to, and including, 5.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 5.6.4.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2024-4213
- CVE, Research URL
- Home page URL
- Application
- Date
- May 14, 2024
- Research Description
- The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.6.4 via the order report functionality. This makes it possible for unauthenticated attackers to extract sensitive data including order details such as payment details, addresses and other PII.
- Affected versions
-
max 5.6.5.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2024-35667
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 11, 2024
- Research Description
- Missing Authorization vulnerability in WP EasyCart.This issue affects WP EasyCart: from n/a through 5.5.19.
- Affected versions
-
max 5.6.0.
- Status
-
vulnerable
Shopping Cart & eCommerce Store # CVE-2023-3023
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 12, 2023
- Research Description
- The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in versions up to, and including, 5.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level or above permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 5.2.5.
- Status
-
vulnerable