WordPress Plugin Vulnerabilities
Welcart e-Commerce < 2.11.14 - Authenticated (Editor+) Arbitrary File Deletion
Description
The Welcart e-Commerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 2.11.13. This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Affects Plugins
References
Classification
Type
LFI
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Martino Spagnuolo
Verified
No
WPVDB ID
Timeline
Publicly Published
2025-06-03 (about 1 year ago)
Added
2025-06-10 (about 1 year ago)
Last Updated
2025-06-10 (about 1 year ago)