7.5
CVE-2021-4355
- EPSS 0.83%
- Veröffentlicht 07.06.2023 02:15:13
- Zuletzt bearbeitet 20.02.2025 18:34:50
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginWelcart e-Commerce < 2.2.8 - Missing Capabilities Check to Information Disclosure
The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders.
Mögliche Gegenmaßnahme
Welcart e-Commerce: Update to version 2.2.8, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Welcart e-Commerce
Version
[*, 2.2.8)
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Welcart ≫ Welcart E-commerce SwPlatformwordpress Version <= 2.2.7
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.83% | 0.738 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
|
| security@wordfence.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.