Vendor CVEs
Welcart
All CVEs
38 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-50847 | Hig | 0.49 | 7.6 | 0.01 | Dec 28, 2023 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3. | ||
| CVE-2021-4355 | Hig | 0.49 | 7.5 | 0.01 | Jun 7, 2023 | The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7.… | ||
| CVE-2025-54012 | Hig | 0.47 | 7.2 | 0.00 | Aug 20, 2025 | Deserialization of Untrusted Data vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Object Injection.This issue affects Welcart e-Commerce: from n/a through <= 2.11.16. | ||
| CVE-2025-47511 | Med | 0.44 | 6.8 | 0.00 | Jun 9, 2025 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Path Traversal.This issue affects Welcart e-Commerce: from n/a through <= 2.11.13. | ||
| CVE-2024-57494 | Med | 0.42 | 6.5 | 0.00 | Oct 1, 2025 | Cross Site Scripting vulnerability in Neto E-Commerce CMS v.6.313.0 through v.6.3115 allows a remote attacker to escalate privileges via the kw parameter. | ||
| CVE-2016-4828 | Med | 0.42 | 6.5 | 0.02 | Jun 25, 2016 | The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account. | ||
| CVE-2015-7791 | Med | 0.41 | 6.3 | 0.02 | Dec 29, 2015 | Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter. | ||
| CVE-2016-4827 | Med | 0.40 | 6.1 | 0.01 | Jun 25, 2016 | Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826. | ||
| CVE-2016-4826 | Med | 0.40 | 6.1 | 0.01 | Jun 25, 2016 | Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827. | ||
| CVE-2025-58984 | Med | 0.38 | 5.9 | 0.00 | Sep 9, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Stored XSS.This issue affects Welcart e-Commerce: from n/a through <= 2.11.20. | ||
| CVE-2016-4825 | Med | 0.37 | 5.6 | 0.03 | Jun 25, 2016 | The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data. | ||
| CVE-2025-10406 | Med | 0.36 | 5.5 | 0.00 | Oct 15, 2025 | The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks. | ||
| CVE-2025-10649 | Med | 0.35 | 6.5 | 0.00 | Oct 8, 2025 | The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. This makes it possible… | ||
| CVE-2025-12979 | Med | 0.34 | 5.3 | 0.00 | Nov 13, 2025 | The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured… | ||
| CVE-2025-10651 | Med | 0.29 | 5.5 | 0.00 | Oct 22, 2025 | The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it… | ||
| CVE-2025-9367 | Med | 0.29 | 5.5 | 0.00 | Sep 10, 2025 | The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level… | ||
| CVE-2025-62953 | Med | 0.28 | 4.3 | 0.00 | Oct 27, 2025 | Missing Authorization vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Welcart e-Commerce: from n/a through <= 2.11.24. | ||
| CVE-2021-4375 | Med | 0.28 | 4.3 | 0.01 | Jun 7, 2023 | The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download… | ||
| CVE-2023-6120 | Med | 0.20 | 4.1 | 0.00 | Dec 9, 2023 | The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server. | ||
| CVE-2025-27130 | 0.00 | — | 0.00 | Apr 1, 2025 | Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product. | |||
| CVE-2025-0511 | 0.00 | — | 0.00 | Feb 12, 2025 | The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to… | |||
| CVE-2024-45366 | 0.00 | — | 0.00 | Sep 18, 2024 | Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser. | |||
| CVE-2024-42404 | 0.00 | — | 0.00 | Sep 18, 2024 | SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the information stored in the database. | |||
| CVE-2024-32144 | 0.00 | — | 0.00 | Jun 11, 2024 | Missing Authorization vulnerability in Welcart Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.14. | |||
| CVE-2023-43614 | 0.00 | — | 0.01 | Sep 26, 2023 | Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. | |||
| CVE-2023-43610 | 0.00 | — | 0.01 | Sep 26, 2023 | SQL injection vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor (without setting authority) or higher privilege to perform unintended database operations. | |||
| CVE-2023-43493 | 0.00 | — | 0.01 | Sep 26, 2023 | SQL injection vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to obtain sensitive information. | |||
| CVE-2023-43484 | 0.00 | — | 0.01 | Sep 26, 2023 | Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. | |||
| CVE-2023-41962 | 0.00 | — | 0.01 | Sep 26, 2023 | Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script in the page. | |||
| CVE-2023-41233 | 0.00 | — | 0.01 | Sep 26, 2023 | Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script. | |||
| CVE-2023-40532 | 0.00 | — | 0.01 | Sep 26, 2023 | Path traversal vulnerability in Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to obtain partial information of the files on the web server. | |||
| CVE-2023-40219 | 0.00 | — | 0.01 | Sep 26, 2023 | Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor or higher privilege to upload an arbitrary file to an unauthorized directory. | |||
| CVE-2021-20734 | 0.00 | — | 0.01 | Jun 22, 2021 | Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors. | |||
| CVE-2015-2973 | 0.00 | — | 0.02 | Jul 24, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3)… | |||
| CVE-2014-10017 | 0.00 | — | 0.02 | Jan 13, 2015 | Multiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) changeSort or (2) switch parameter in the usces_itemedit page to wp-admin/admin.php. | |||
| CVE-2014-10016 | 0.00 | — | 0.02 | Jan 13, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) unspecified vectors related to purchase_limit or the (2) name, (3) intl, (4) nocod, or (5) time… | |||
| CVE-2012-5178 | 0.00 | — | 0.01 | Dec 19, 2012 | Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase. | |||
| CVE-2012-5177 | 0.00 | — | 0.02 | Dec 19, 2012 | Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
- risk 0.49cvss 7.6epss 0.01
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3.
- risk 0.49cvss 7.5epss 0.01
The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7.…
- risk 0.47cvss 7.2epss 0.00
Deserialization of Untrusted Data vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Object Injection.This issue affects Welcart e-Commerce: from n/a through <= 2.11.16.
- risk 0.44cvss 6.8epss 0.00
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Path Traversal.This issue affects Welcart e-Commerce: from n/a through <= 2.11.13.
- risk 0.42cvss 6.5epss 0.00
Cross Site Scripting vulnerability in Neto E-Commerce CMS v.6.313.0 through v.6.3115 allows a remote attacker to escalate privileges via the kw parameter.
- risk 0.42cvss 6.5epss 0.02
The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account.
- risk 0.41cvss 6.3epss 0.02
Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826.
- risk 0.40cvss 6.1epss 0.01
Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827.
- risk 0.38cvss 5.9epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Stored XSS.This issue affects Welcart e-Commerce: from n/a through <= 2.11.20.
- risk 0.37cvss 5.6epss 0.03
The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data.
- risk 0.36cvss 5.5epss 0.00
The BlindMatrix e-Commerce WordPress plugin before 3.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users, such as contributors, to perform LFI attacks.
- risk 0.35cvss 6.5epss 0.00
The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. This makes it possible…
- risk 0.34cvss 5.3epss 0.00
The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured…
- risk 0.29cvss 5.5epss 0.00
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it…
- risk 0.29cvss 5.5epss 0.00
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level…
- risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Welcart e-Commerce: from n/a through <= 2.11.24.
- risk 0.28cvss 4.3epss 0.01
The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the usces_download_system_information() function in versions up to, and including, 2.2.7. This makes it possible for authenticated attackers to download…
- risk 0.20cvss 4.1epss 0.00
The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the upload_certificate_file function. This makes it possible for administrators to upload .pem or .crt files to arbitrary locations on the server.
- CVE-2025-27130Apr 1, 2025risk 0.00cvss —epss 0.00
Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker who can access websites created using the product.
- CVE-2025-0511Feb 12, 2025risk 0.00cvss —epss 0.00
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to…
- CVE-2024-45366Sep 18, 2024risk 0.00cvss —epss 0.00
Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser.
- CVE-2024-42404Sep 18, 2024risk 0.00cvss —epss 0.00
SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the information stored in the database.
- CVE-2024-32144Jun 11, 2024risk 0.00cvss —epss 0.00
Missing Authorization vulnerability in Welcart Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.14.
- CVE-2023-43614Sep 26, 2023risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.
- CVE-2023-43610Sep 26, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor (without setting authority) or higher privilege to perform unintended database operations.
- CVE-2023-43493Sep 26, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to obtain sensitive information.
- CVE-2023-43484Sep 26, 2023risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.
- CVE-2023-41962Sep 26, 2023risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script in the page.
- CVE-2023-41233Sep 26, 2023risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker to inject an arbitrary script.
- CVE-2023-40532Sep 26, 2023risk 0.00cvss —epss 0.01
Path traversal vulnerability in Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to obtain partial information of the files on the web server.
- CVE-2023-40219Sep 26, 2023risk 0.00cvss —epss 0.01
Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor or higher privilege to upload an arbitrary file to an unauthorized directory.
- CVE-2021-20734Jun 22, 2021risk 0.00cvss —epss 0.01
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
- CVE-2015-2973Jul 24, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3)…
- CVE-2014-10017Jan 13, 2015risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) changeSort or (2) switch parameter in the usces_itemedit page to wp-admin/admin.php.
- CVE-2014-10016Jan 13, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) unspecified vectors related to purchase_limit or the (2) name, (3) intl, (4) nocod, or (5) time…
- CVE-2012-5178Dec 19, 2012risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase.
- CVE-2012-5177Dec 19, 2012risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.