Welcart Welcart E-commerce — known CVE vulnerabilities
Every CVE whose affected-product data names Welcart Welcart E-commerce, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (36)
CVE-2023-5952 — CVSS 9.8 (critical): The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to…
CVE-2022-4237 — CVSS 8.8 (high): The Welcart e-Commerce WordPress plugin before 2.8.6 does not validate user input before using it in file_exist() functions via various…
CVE-2025-27130 — CVSS 8.8 (high): Welcart e-Commerce 2.11.6 and earlier versions contains an untrusted data deserialization vulnerability. If this vulnerability is…
CVE-2023-43610 — CVSS 8.8 (high): SQL injection vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor (without setting…
CVE-2024-42404 — CVSS 8.8 (high): SQL injection vulnerability in Welcart e-Commerce prior to 2.11.2 allows an attacker who can login to the product to obtain or alter the…
CVE-2023-5953 — CVSS 8.8 (high): The Welcart e-Commerce WordPress plugin before 2.9.5 does not validate files to be uploaded, as well as does not have authorisation and…
CVE-2023-50847 — CVSS 7.6 (high): Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This…
CVE-2022-4140 — CVSS 7.5 (high): The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file, which…
CVE-2021-4355 — CVSS 7.5 (high): The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the…
CVE-2020-28339 — CVSS 7.5 (high): The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize…
CVE-2023-40219 — CVSS 7.2 (high): Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with editor or higher privilege to upload an arbitrary file to an unauthorized…
CVE-2025-0511 — CVSS 7.2 (high): The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up…
CVE-2023-22705 — CVSS 7.1 (high): Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Collne Inc. Welcart e-Commerce plugin <= 2.8.10 versions.
CVE-2025-47511 — CVSS 6.8 (medium): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in info@welcart Welcart e-Commerce usc-e-shop…
CVE-2022-3946 — CVSS 6.5 (medium): The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to…
CVE-2016-4828 — CVSS 6.5 (medium): The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by…
CVE-2022-4236 — CVSS 6.5 (medium): The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an…
CVE-2015-7791 — CVSS 6.3 (medium): Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated…
CVE-2021-20734 — CVSS 6.1 (medium): Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML…
CVE-2023-41233 — CVSS 6.1 (medium): Cross-site scripting vulnerability in Item List page registration process of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote…
CVE-2023-41962 — CVSS 6.1 (medium): Cross-site scripting vulnerability in Credit Card Payment Setup page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote…
CVE-2023-43484 — CVSS 6.1 (medium): Cross-site scripting vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated attacker…
CVE-2023-43614 — CVSS 6.1 (medium): Cross-site scripting vulnerability in Order Data Edit page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a remote unauthenticated…
CVE-2023-5951 — CVSS 6.1 (medium): The Welcart e-Commerce WordPress plugin before 2.9.5 does not sanitise and escape a parameter before outputting it back in the page…
CVE-2016-4827 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to…
CVE-2016-4826 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to…
CVE-2024-45366 — CVSS 6.1 (medium): Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script…
CVE-2016-4825 — CVSS 5.6 (medium): The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute…
CVE-2024-32144 — CVSS 5.4 (medium): Missing Authorization vulnerability in Welcart Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.14.
CVE-2022-3935 — CVSS 5.4 (medium): The Welcart e-Commerce WordPress plugin before 2.8.4 does not sanitise and escape some parameters, which could allow any authenticated…
CVE-2022-4655 — CVSS 5.4 (medium): The Welcart e-Commerce WordPress plugin before 2.8.9 does not validate and escapes one of its shortcode attributes, which could allow users…
CVE-2023-43493 — CVSS 4.9 (medium): SQL injection vulnerability in Item List page of Welcart e-Commerce versions 2.7 to 2.8.21 allows a user with author or higher privilege to…
CVE-2015-2973 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject…
CVE-2021-4375 — CVSS 4.3 (medium): The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the…
CVE-2023-6120 — CVSS 4.1 (medium): The Welcart e-Commerce plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.6 via the…