logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

Welcart e-Commerce < 1.9.36 - Authenticated PHP Object Injection

Description

The plugin unserialises (via usces_unserialize()) the content of the usces_cookie cookie, which could lead to a PHP Object Injection issue.

Affects Plugins

usc-e-shop

Fixed in version 1.9.36

References

CVE

CVE-2020-28339

URL

https://www.wordfence.com/blog/2020/11/object-injection-vulnerability-in-welcart-e-commerce-plugin/

Classification

Type

OBJECT INJECTION

OWASP top 10

A8: Insecure Deserialization

CWE

CWE-502

Miscellaneous

Original Researcher

Ram Gall (Wordfence)

Verified

No

WPVDB ID

177acb3e-b7a2-4a86-9808-4b90d1dbe146

Timeline

Publicly Published

2020-11-05 (about 11 months ago)

Added

2020-11-05 (about 11 months ago)

Last Updated

2020-11-09 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin