Vulnerabilities and security researches forwpshop wpshop

Jul 20, 2025

CVE, Research URL: CVE-2015-10135
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Jul 19, 2025
Research Description: The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible.
Affected versions: Min -, max -.
Status: vulnerable

May 08, 2025

CVE, Research URL: CVE-2025-3853
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: May 07, 2025
Research Description: The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 2.0.0 to 2.6.0 via the callback_generate_api_key() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create valid API keys on behalf of other users.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2025-3852
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: May 07, 2025
Research Description: The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.0 to 2.6.0. This is due to the plugin not properly validating a user's identity prior to updating their details like email & password through the update() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Affected versions: Min -, max -.
Status: vulnerable

Apr 11, 2025

CVE, Research URL: CVE-2025-32576
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Apr 09, 2025
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Agence web Eoxia - Montpellier WP shop allows Upload a Web Shell to a Web Server. This issue affects WP shop: from n/a through 2.6.0.
Affected versions: Min -, max -.
Status: vulnerable

Jun 07, 2024

CVE, Research URL: 25b8175a29186935197d85344c35e6cb9e68092c
Home page URL: Security reports for WPshop 2 – E-Commerce
Application: WPshop 2 – E-Commerce
Date: Sep 17, 2015
Research Description: WPshop 2 – E-Commerce [wpshop] < 1.3.9.6 WordPress Shop Plugin <= 3.4.3.18 - Multiple Vulnerabilities This plugin is prone to cross site scripting and cross site request forgery vulnerabilities. Update the plugin.
Affected versions: Min -, max -.
Status: vulnerable