8.8
CVE-2020-28339
- EPSS 1.88%
- Veröffentlicht 07.11.2020 19:15:12
- Zuletzt bearbeitet 20.02.2025 18:34:50
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginWelcart e-Commerce <= 1.9.35 - PHP Object Injection
The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. There is not a complete POP chain.
Mögliche Gegenmaßnahme
Welcart e-Commerce: Update to version 1.9.36, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Welcart ≫ Welcart E-commerce SwPlatformwordpress Version < 1.9.36
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Welcart e-Commerce
Version
[*, 1.9.36)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.88% | 0.767 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.5 | 8 | 6.4 |
AV:N/AC:L/Au:S/C:P/I:P/A:P
|
| cve@mitre.org | 7.5 | 1.6 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
https://wordpress.org/plugins/usc-e-shop/#developers
https://www.wordfence.com/blog/2020/11/object-injection-vulnerability-in-welcart-e-commerce-plugin/
https://www.wordfence.com/threat-intel/vulnerabilities/id/6c694bce-e389-492a-827d-ae5293730612