WordPress Plugin Vulnerabilities

Ecwid Shopping Cart < 6.10.23 - Insufficient Access Control

Description

The plugin does not have adequate authorisation in various AJAX actions, which could allow users with a role as low as Subscriber to call them and perform unauthorised actions, such as creating product and category pages, and editing the storefront page.

Affects Plugins

Plugin icon
ecwid-shopping-cart
Fixed in 6.10.23

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ecwid-shopping-cart/ecwid-ecommerce-shopping-cart-61022-insufficient-access-control-on-multiple-ajax-actions

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
WordFence
Verified
No
WPVDB ID
a66aa7e5-0312-4837-839f-f00e6adfc7e2

Timeline

Publicly Published
2022-07-09 (about 3 years ago)
Added
2023-05-08 (about 3 years ago)
Last Updated
2023-05-08 (about 3 years ago)

Other

Published
Title
Published
2015-10-03
Title
PDF And Print <= 1.7.4 - Cross-Site Scripting (XSS)
Published
2025-10-16
Title
tagDiv Composer < 5.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-09-19
Title
Triss <= 2.6 - Reflected Cross-Site Scripting
Published
2022-12-28
Title
Meteor Slides < 1.5.7 - Contributor+ Stored XSS
Published
2025-06-19
Title
Recipes manager - WPH <= 1.0.4 - Authenticated (Editor+) Stored Cross-Site Scripting