WordPress Plugin Vulnerabilities

Welcart e-Commerce < 2.8.4 - Multiple Subscriber+ Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape some parameters, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks

Proof of Concept

Affects Plugins

Plugin icon
usc-e-shop
Fixed in 2.8.4

References

CVE
CVE-2022-3935

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
https://lana.codes/
Submitter twitter
LanaCodes
Verified
Yes
WPVDB ID
906c5122-dd6d-494b-b66c-4162e234ea05

Timeline

Publicly Published
2022-11-21 (about 3 years ago)
Added
2022-11-21 (about 3 years ago)
Last Updated
2022-11-21 (about 3 years ago)

Other

Published
Title
Published
2023-08-14
Title
Multiple Themes - Reflected XSS
Published
2025-10-14
Title
Quick Social Login <= 1.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-11
Title
WordPress Event Manager, Event Calendar and Booking Plugin < 4.0.25 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2023-01-03
Title
Simple Sitemap < 3.5.8 - Contributor+ Stored XSS
Published
2025-09-05
Title
Custom Team Manager <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting