Vulnerabilities > Welcart > Welcart E Commerce > 2.5.5

DATE CVE VULNERABILITY TITLE RISK
2025-02-12 CVE-2025-0511 Cross-site Scripting vulnerability in Welcart E-Commerce
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping.
network
low complexity
welcart CWE-79
6.1
2023-12-28 CVE-2023-50847 SQL Injection vulnerability in Welcart E-Commerce
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc.
network
low complexity
welcart CWE-89
7.2
2023-12-09 CVE-2023-6120 Path Traversal vulnerability in Welcart E-Commerce
The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function.
network
low complexity
welcart CWE-22
2.7
2023-12-04 CVE-2023-5951 Cross-site Scripting vulnerability in Welcart E-Commerce
The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
network
low complexity
welcart CWE-79
6.1
2023-12-04 CVE-2023-5952 Unspecified vulnerability in Welcart E-Commerce
The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog
network
low complexity
welcart
critical
9.8
2023-12-04 CVE-2023-5953 Unrestricted Upload of File with Dangerous Type vulnerability in Welcart E-Commerce
The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload.
network
low complexity
welcart CWE-434
8.8
2023-03-29 CVE-2023-22705 Cross-site Scripting vulnerability in Welcart E-Commerce
Unauth.
network
low complexity
welcart CWE-79
6.1
2023-01-16 CVE-2022-4655 Unspecified vulnerability in Welcart E-Commerce
The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users with a role as low as a contributor to perform a Stored Cross-Site Scripting attack.
network
low complexity
welcart
5.4
2023-01-02 CVE-2022-4140 Unspecified vulnerability in Welcart E-Commerce
The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which could allow unauthenticated attacker to read arbitrary files on the server
network
low complexity
welcart
7.5
2023-01-02 CVE-2022-4236 Files or Directories Accessible to External Parties vulnerability in Welcart E-Commerce
The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.
network
low complexity
welcart CWE-552
6.5