VYPR
Vendor

Welcart

Products
2
CVEs
38
Across products
38
Status
Private

Products

2

Recent CVEs

38
View all 38 CVEs →
  • CVE-2023-50847HigDec 28, 2023
    risk 0.49cvss 7.6epss 0.01

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3.

  • CVE-2021-4355HigJun 7, 2023
    risk 0.49cvss 7.5epss 0.01

    The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7.…

  • CVE-2025-54012HigAug 20, 2025
    risk 0.47cvss 7.2epss 0.00

    Deserialization of Untrusted Data vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Object Injection.This issue affects Welcart e-Commerce: from n/a through <= 2.11.16.

  • CVE-2025-47511MedJun 9, 2025
    risk 0.44cvss 6.8epss 0.00

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Path Traversal.This issue affects Welcart e-Commerce: from n/a through <= 2.11.13.

  • CVE-2024-57494MedOct 1, 2025
    risk 0.42cvss 6.5epss 0.00

    Cross Site Scripting vulnerability in Neto E-Commerce CMS v.6.313.0 through v.6.3115 allows a remote attacker to escalate privileges via the kw parameter.

  • CVE-2016-4828MedJun 25, 2016
    risk 0.42cvss 6.5epss 0.02

    The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account.

  • CVE-2015-7791MedDec 29, 2015
    risk 0.41cvss 6.3epss 0.02

    Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter.

  • CVE-2016-4827MedJun 25, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826.

  • CVE-2016-4826MedJun 25, 2016
    risk 0.40cvss 6.1epss 0.01

    Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827.

  • CVE-2025-58984MedSep 9, 2025
    risk 0.38cvss 5.9epss 0.00

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Stored XSS.This issue affects Welcart e-Commerce: from n/a through <= 2.11.20.

  • CVE-2016-4825MedJun 25, 2016
    risk 0.37cvss 5.6epss 0.03

    The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data.

  • CVE-2025-10406MedOct 15, 2025
    risk 0.36cvss 5.5epss 0.00

    The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks.

  • CVE-2025-10649MedOct 8, 2025
    risk 0.35cvss 6.5epss 0.00

    The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. This makes it possible…

  • CVE-2025-12979MedNov 13, 2025
    risk 0.34cvss 5.3epss 0.00

    The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured…

  • CVE-2025-10651MedOct 22, 2025
    risk 0.29cvss 5.5epss 0.00

    The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it…

  • CVE-2025-9367MedSep 10, 2025
    risk 0.29cvss 5.5epss 0.00

    The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level…

  • CVE-2025-62953MedOct 27, 2025
    risk 0.28cvss 4.3epss 0.00

    Missing Authorization vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Welcart e-Commerce: from n/a through <= 2.11.24.

  • CVE-2021-4375MedJun 7, 2023
    risk 0.28cvss 4.3epss 0.01

    The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download…

  • CVE-2023-6120MedDec 9, 2023
    risk 0.20cvss 4.1epss 0.00

    The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.

  • CVE-2025-27130Apr 1, 2025
    risk 0.00cvss epss 0.00

    Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product.