WordPress Plugin Vulnerabilities

Welcart e-Commerce < 2.2.8 - Unauthenticated Information Disclosure

Description

The plugin did not have proper capability check in some of its functions, which could allow unauthenticated users to download the list of members, products and orders in CSV format

Affects Plugins

Plugin icon
usc-e-shop
Fixed in 2.2.8

References

CVE
CVE-2021-4355
URL
https://blog.nintechnet.com/wordpress-welcart-e-commerce-plugin-fixed-vulnerabilities/

Classification

Type
ACCESS CONTROLS
OWASP top 10
A5: Broken Access Control
CWE
CWE-284
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Jerome Bruandet (nintechnet)
Verified
Yes
WPVDB ID
1cb06be3-b3c2-4053-a0a0-5dc0476ee81c

Timeline

Publicly Published
2021-08-06 (about 4 years ago)
Added
2021-08-06 (about 4 years ago)
Last Updated
2023-06-08 (about 2 years ago)

Other

Published
Title
Published
2021-04-10
Title
Contact Form Check Tester <= 1.0.2 - Broken Access Control to Cross-Site Scripting (XSS)
Published
2021-10-05
Title
Simple Download Monitor < 3.9.6 - Arbitrary Thumbnails Removal
Published
2023-09-03
Title
FileOrganizer < 1.0.3 - Admin+ Arbitrary File Access
Published
2022-03-28
Title
Shopping Cart & eCommerce Store < 5.2.5 - Arbitrary Design Settings Update via CSRF
Published
2024-04-29
Title
Subway – Private Site Option <= 2.1.4 - Improper Access Control to Sensitive Information Exposure via REST API