WordPress Plugin Vulnerabilities

Welcart e-Commerce < 2.8.22 - Author+ SQL Injection

Description

The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, leading to an SQL injection exploitable by users with a role as low as an author.

Affects Plugins

Plugin icon
usc-e-shop
Fixed in 2.8.22

References

CVE
CVE-2023-43493
URL
https://jvn.jp/en/jp/JVN97197972/

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Akihiro Hashimoto
Verified
No
WPVDB ID
4a82f7e8-3a50-44fa-8630-31ad2d134ac5

Timeline

Publicly Published
2023-09-26 (about 2 years ago)
Added
2023-09-28 (about 2 years ago)
Last Updated
2023-09-28 (about 2 years ago)

Other

Published
Title
Published
2015-07-16
Title
Quiz And Survey Master < 4.4.4 - Authenticated Blind SQL Injection
Published
2023-06-26
Title
AN_GradeBook <= 5.0.1 - Subscriber+ SQLi
Published
2026-01-14
Title
Simply Schedule Appointments < 1.6.9.13 - Unauthenticated SQL Injection via `order` and `append_where_sql` Parameters
Published
2025-05-16
Title
Multimedia Responsive Carousel with Image Video Audio Support < 2.6.1 - Authenticated (Contributor+) SQL Injection
Published
2025-04-09
Title
Easy Post Duplicator <= 1.0.1 - Authenticated (Subscriber+) SQL Injection