CVE-2026-49775

Vulnerability

The vulnerability exists in the Welcart e-Commerce plugin (aka usc-e-shop) for WordPress versions 2.11.28 and earlier. It is a broken access control issue where the plugin fails to properly authenticate or authorize certain functions, allowing unauthenticated access to actions that should require higher privileges. [1]

Exploitation

An unauthenticated attacker can exploit this by sending specially crafted requests to the vulnerable plugin's endpoints. No authentication or user interaction is required, making it easy to execute. [1] The vulnerability is expected to be used in mass-exploit campaigns. [1]

Impact

Successful exploitation allows an unauthenticated attacker to perform higher-privileged actions, potentially leading to unauthorized access, data modification, or other malicious activities depending on the affected functionality. [1] The CVSS score of 6.5 indicates medium severity.

Mitigation

Users should update to version 2.11.29 or later immediately. [1] For those unable to update, applying a mitigation rule such as the one provided by Patchstack can block attacks until the update is applied. [1] Auto-update for vulnerable plugins can be enabled for Patchstack users. [1]