WordPress Plugin Vulnerabilities

Shopping Cart & eCommerce Store < 5.1.1 - CSRF to Stored Cross-Site Scripting

Description

The plugin is vulnerable to Cross-Site Request Forgery via the save_currency_settings function found in the ~/admin/inc/wp_easycart_admin_initial_setup.php file which allows attackers to inject arbitrary web scripts.

Affects Plugins

Plugin icon
wp-easycart
Fixed in 5.1.1

References

CVE
CVE-2021-34645
URL
https://www.wordfence.com/vulnerability-advisories/#CVE-2021-34645

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Xu-Liang Liao
Verified
Yes
WPVDB ID
2025a4e1-62b7-4236-9143-c45d99b38b1f

Timeline

Publicly Published
2021-08-18 (about 4 years ago)
Added
2021-08-18 (about 4 years ago)
Last Updated
2022-04-09 (about 4 years ago)

Other

Published
Title
Published
2025-08-27
Title
Dynamic AJAX Product Filters for WooCommerce < 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Parameter
Published
2024-04-30
Title
TweetScroll Widget <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-08-09
Title
MDx < 2.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via mdx_list_item Shortcode
Published
2025-05-14
Title
Bon Toolkit <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-11-24
Title
Chatbot for WordPress < 2.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting