Vulnerabilities and security researches forwpshop wpshop

Jun 07, 2024

CVE, Research URL: 25b8175a29186935197d85344c35e6cb9e68092c
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Sep 17, 2015
Research Description: WPshop 2 – E-Commerce [wpshop] < 3.4.3.19 WordPress Shop Plugin <= 3.4.3.18 - Multiple Vulnerabilities This plugin is prone to cross site scripting and cross site request forgery vulnerabilities. Update the plugin.
Affected versions: max 3.4.3.19.
Status: vulnerable

Apr 11, 2025

CVE, Research URL: CVE-2025-32576
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Apr 09, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows Upload a Web Shell to a Web Server.This issue affects WP shop: from n/a through <= 2.6.1.
Affected versions: max 2.6.1.
Status: vulnerable

May 08, 2025

CVE, Research URL: CVE-2025-3853
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: May 07, 2025
Research Description: The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users.
Affected versions: Min 2.0.0, max 2.6.0.
Status: vulnerable

CVE, Research URL: CVE-2025-3852
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: May 07, 2025
Research Description: The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Affected versions: Min 2.0.0, max 2.6.0.
Status: vulnerable

Jul 20, 2025

CVE, Research URL: CVE-2015-10135
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Jul 19, 2025
Research Description: The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected versions: max 1.3.9.6.
Status: vulnerable

Feb 28, 2026

CVE, Research URL: CVE-2025-69383
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Feb 20, 2026
Research Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1.
Affected versions: max 2.6.1.
Status: vulnerable

Jun 16, 2026

CVE, Research URL: 6d9637e162c1f4d521a590681b37fa2918babece
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Jul 08, 2015
Research Description: WPshop 2 – E-Commerce [wpshop] < 3.4.3.16 WordPress Shop Plugin <= 3.4.3.15 - Blind SQL Injection This plugin is prone to an SQL injection via "wpshop_id" parameter. Update the plugin.
Affected versions: max 3.4.3.16.
Status: vulnerable

CVE, Research URL: 0f9c01caef7f6babf3ec24ce1fd97b741071e5b9
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Mar 09, 2015
Research Description: WPshop 2 – E-Commerce [wpshop] < 1.3.9.6 WPshop 2 – E-Commerce < 1.3.9.6 - Arbitrary File Upload The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected versions: max 1.3.9.6.
Status: vulnerable

CVE, Research URL: 85bb2718-2228-4405-8b50-76995dbf6862
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: -
Research Description: WPshop 2 – E-Commerce [wpshop] < 1.3.9.6 Wpshop - eCommerce <= 1.3.9.5 - Arbitrary File Upload The script 'includes/ajax.php' allows execution of various actions by anonymous users. The action name is provided in the 'elementCode' parameter. One of these actions is named 'ajaxUpload'. This function allows for upload of arbitrary files, due to lack of sanitation of user input.
Affected versions: max 1.3.9.6.
Status: vulnerable

CVE, Research URL: 405aa69006f803e554963210e83e3bd549a1ebe1
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Mar 09, 2015
Research Description: WPshop 2 – E-Commerce [wpshop] < 1.3.9.6 WordPress WP shop Plugin <= 1.3.9.5 - Arbitrary File Upload This plugin is prone to an arbitrary file upload vulnerability during "ajaxUpload" action. Update the plugin.
Affected versions: max 1.3.9.6.
Status: vulnerable