WordPress Plugin Vulnerabilities

Welcart e-Commerce < 2.2.4 - Cross-Site Scripting (XSS)

Description

The plugin did not sanitise or validate the order_id parameter before outputting in the page of the admin dashboard, leading to a reflected Cross-Site Scripting issue

Proof of Concept

Affects Plugins

Plugin icon
usc-e-shop
Fixed in 2.2.4

References

CVE
CVE-2021-20734
URL
https://jvn.jp/en/jp/JVN70566757/

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Yu Iwama of Secure Sky Technology Inc
Verified
Yes
WPVDB ID
d90cc324-091b-4113-aaee-50ac76f9501a

Timeline

Publicly Published
2021-06-11 (about 4 years ago)
Added
2021-06-11 (about 4 years ago)
Last Updated
2021-06-25 (about 4 years ago)

Other

Published
Title
Published
2026-02-13
Title
myCred < 2.9.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'mycred_load_coupon' Shortcode
Published
2025-03-24
Title
Blue Captcha < 2.0.0 - Reflected Cross-Site Scripting
Published
2024-11-08
Title
File Select Control For Elementor <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-09-01
Title
Polls CP <= 1.0.75 - Admin+ Stored Cross-Site Scripting
Published
2026-04-15
Title
Video Gallery – YouTube Gallery & Responsive Video Playlist < 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting