cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forwpshop wpshop

Direction: ascending
Jun 07, 2024

WPshop 2 – E-Commerce # 25b8175a29186935197d85344c35e6cb9e68092c

CVE, Research URL

25b8175a29186935197d85344c35e6cb9e68092c

Home page URL

Security reports for WPshop 2 – E-Commerce

Application

WPshop 2 – E-Commerce

Date
Sep 17, 2015
Research Description
WPshop 2 &#8211; E-Commerce [wpshop] < 1.3.9.6 WordPress Shop Plugin <= 3.4.3.18 - Multiple Vulnerabilities This plugin is prone to cross site scripting and cross site request forgery vulnerabilities. Update the plugin.
Affected versions
Min -, max -.
Status
vulnerable
Apr 11, 2025

WPshop 2 &#8211; E-Commerce # CVE-2025-32576

CVE, Research URL

CVE-2025-32576

Home page URL

Security reports for WPshop 2 &#8211; E-Commerce

Application

WPshop 2 &#8211; E-Commerce

Date
Apr 09, 2025
Research Description
Cross-Site Request Forgery (CSRF) vulnerability in Agence web Eoxia - Montpellier WP shop allows Upload a Web Shell to a Web Server. This issue affects WP shop: from n/a through 2.6.0.
Affected versions
Min -, max -.
Status
vulnerable
May 08, 2025

WPshop 2 &#8211; E-Commerce # CVE-2025-3853

CVE, Research URL

CVE-2025-3853

Home page URL

Security reports for WPshop 2 &#8211; E-Commerce

Application

WPshop 2 &#8211; E-Commerce

Date
May 07, 2025
Research Description
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users.
Affected versions
Min -, max -.
Status
vulnerable

WPshop 2 &#8211; E-Commerce # CVE-2025-3852

CVE, Research URL

CVE-2025-3852

Home page URL

Security reports for WPshop 2 &#8211; E-Commerce

Application

WPshop 2 &#8211; E-Commerce

Date
May 07, 2025
Research Description
The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Affected versions
Min -, max -.
Status
vulnerable