Vulnerabilites related to wpeasycart - wp_easycart
Vulnerability from fkie_nvd
Published
2017-10-06 22:29
Modified
2025-04-20 01:37
Severity ?
Summary
The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/ | Exploit, Third Party Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.1.30:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4487C83C-8C47-403C-AA92-BF76BB713AC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.1.31:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F8C7F40B-384D-4BA1-8395-8169ADD2B15D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.1.32:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "BF2337EE-D7BC-4849-8557-FF00D7098369",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.1.33:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "70045986-BD4B-4664-A273-04B2B62E80DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.1.34:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "76FDFD93-E825-45D3-BF54-80B907C47AC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.1.35:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "02E41D7E-8D43-4585-8D75-D376FC1291E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.1.36:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0931F7E7-E651-4127-BDFE-8668C03B00BF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E0D178F1-32B8-4195-B0C2-6CB7011C65FF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4E6FE01F-E50D-4EC3-813F-28D9DCF4B034",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "91C4AFDA-5A51-4DB4-B67B-A28B2E005D0F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CFF6482F-9323-4EA2-AF2D-A023FF067167",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "434C1693-E249-43C1-AE21-2E5670883585",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CB46188F-C271-4C2B-9B91-56420D3E534E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.6:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5CFF7FE7-5B4B-4DB2-A30F-78919A270CBB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9D2F76E9-C38F-446E-933C-516777DFE3CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.8:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "83123C36-D1BB-4808-9AC5-42E4BF72CA89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.9:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "102BBE09-B316-412D-A423-5F80AA0F8607",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.10:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "A94A31D7-3F33-4CF4-8D9D-3FD06E3B2747",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.11:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "BC6AD11F-E432-4780-B376-30500471B78E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.12:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8D1FA1A5-08B1-4E7B-AF4D-F1A5E1CB1356",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.13:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "823DDF37-7E98-489A-AE1B-C5309B11BDD7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.14:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "DBDB700D-780B-4938-B10F-44BA9F5E73E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.15:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B7C153B8-54E3-4EE2-968D-BE8679B54E7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:1.2.16:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "1CFFD414-B289-43B4-9C6D-B180275B73C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "14E7D42E-7F3F-4B55-8E1B-EB52D1ECC4B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.1\\@824267:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "A0B706B5-549A-4DE9-B770-B40F5965259F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "AE5FBE51-B439-41DB-A63F-16F583BC4EEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "26205865-5730-4F14-AFF2-E886AD31B382",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C06F54D1-B04B-40F0-AD4A-7894B950D953",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "308EBBC1-FF7F-4B36-99BC-759A1E59AC59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.6:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "BBD360CE-6AC6-4229-8C86-B3417447E431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E51D242F-6116-4C57-9CB3-3D411C54475E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.8:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "52223DAD-DDDF-4548-8BF6-72B63AEDA034",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.9:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C09A2D67-C750-4477-B0AC-4052A45638DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.10:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "86AD394E-8CD4-4C91-8008-C947C15A8521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.11:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9559EA63-8C84-463D-BB3A-C49FC996AD93",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.12:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "56A994AE-5DF8-41B2-A567-978F71BCDDC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.13:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8A87B5CA-912A-4E28-BD08-E4DF30AA0DF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.14:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "6CD014CA-A922-44AE-B67E-01BD3715C5E2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.15:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "FE9CDF60-3D48-43E1-B341-C74C4D3C5A98",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.16:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "46866A37-6FC8-4141-8C68-62FCDC281031",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.17:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0DE115C7-83C4-4CC0-B7E6-D3329869D7CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.18:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "57B54C1B-DBCB-48BB-9494-938CED11D913",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.19:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "441E6707-1E14-4C4B-B5C0-14969CB65385",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.20:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "11587E57-47CE-42E5-8212-0F839AD5FBBD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.21:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0CED4BCE-6462-4D3F-B7FC-E9C39EAA82CE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.0.22:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "1AC9ED3E-C9DD-4E47-ACD2-4EFCC9911DFF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "54169A5A-ED6E-4901-AA45-0486ACE5EF7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8D89B86B-77F5-42B1-BB71-4C439A992956",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0C317AA6-E446-4A30-BF27-C10D2CCA9047",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D6E31C68-D76E-4154-A7B7-B7C1217D06AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8417E1BA-F5AB-4AE3-9E66-4E0A24A709A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "1157B92A-2937-4DFA-81DB-5DF57290FD21",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.6:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "7D17E334-688F-470E-8C5B-953BC4179F61",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C82F09A5-9307-4806-9DDF-6BE75F94BE64",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.8:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D5479CF8-E46F-4C02-9504-7CA0F751C9A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.9:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3D144CC0-F0AE-4FCC-AD36-1EF659521F54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.10:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "3A69B29C-FF7A-4447-8287-C3AEC2B26EE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.11:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D45D1B03-C288-4587-8E87-973B6F954952",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.12:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "44C4FFC8-72E5-41CA-8E9C-90B40AF38EF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.13:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "92078833-B796-46C6-8DD0-B1004910A45D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.14:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "865B39D6-7DB7-4380-BB5A-47A04E038C16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.15:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "F1354C59-3573-42A9-BD4D-F300F4B90D28",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.16:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "07C5329B-494A-42C9-897C-9BDB02FAE265",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.17:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "D90408D0-7FE1-4525-90D5-C51951F269D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.18:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "43A33C3E-93B7-44A9-99ED-47712D2D0276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.19:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "ECDCFD9B-0C0F-4458-B805-63770CF35E50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.20:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C82F4AA5-9551-48EF-B6E3-5F71E2CF4283",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.21:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "27E6CFF3-4FF6-46E9-873D-2B309D7E92B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.22:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CB869FEA-8D2C-4405-A1FA-76068448D0BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.23:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8B52E3AC-89BE-45BC-BF49-2EC30CBF5CB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.24:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "18A035A1-5F85-49E8-B123-B38ED721FE66",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.25:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "A778FFA8-3015-4621-BB0D-D48D3DC5CE29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.26:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "871120E5-DA7B-4A80-B61F-77B033756AA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.27:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "4599DC86-B3FB-457E-8407-57349F08698C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.28:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B3CBF969-8CCF-470D-94E9-F71734DB7C14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.29:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "401AF261-ECA1-4D2E-AEF7-F626138FD546",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.30:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C0C1CDE3-21D1-44B9-9596-32A1B89D8105",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.31:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C59481E3-9F3C-4ED5-BA37-92CCC48CF4DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.32:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "1C3B3162-21A3-46E6-BF37-39BBC781D18F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.33:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "5255BA79-6490-4069-B4CE-07A02510FE31",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.34:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9BF95BE9-36EB-4E56-B8DA-F2DAB9D399F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.35:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C9FBD7B5-51EC-46E4-80A5-FCAC85FD13EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:2.1.36:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "1313BD18-0880-4099-962A-A09650D6980F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.0:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "81092DEA-39F6-4405-A4D9-DB53C88B4437",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.1:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "E87A5A66-4AB1-4D10-A7ED-B41DF033F007",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.2:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "052B2164-0FA4-484C-BFDD-2D4C9344AB50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.3:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "7B4F4125-8D1C-49BA-88FB-90D827ED8673",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.4:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2C09B121-0D79-4DE5-B6AB-AD110E616412",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.5:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "86C0C8BD-D6C3-41BF-A2B0-F9E8B50FF520",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.6:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "682648C4-8F0D-46A8-A425-3835D5039916",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.7:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "298AED62-362B-441E-BFCB-5BBB00E8B719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.8:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C571B408-3DA8-46A1-8EC0-2720604F6B26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.9:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B8B4493E-F0E3-4F9D-B473-422333698EAB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.10:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8905C98B-B282-4175-A133-E55520BFC018",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.11:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "1A1D72CF-BAC7-4248-9389-74BB2B4209F8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.12:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "C8B46D52-5508-413D-9C7B-28991FC87457",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.13:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "296965EE-356D-40C6-9CC3-D37BED387931",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.14:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "6D61E803-BD0C-4834-BD3F-37CFF4701050",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.15:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "8C1B2AF4-CBD1-4701-A998-3F28EE090616",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.16:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "9D0D9100-474F-42B6-AB15-565A2A27F53B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.17:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "6267A653-57D1-47F4-B035-2CEFCE43F44C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.18:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "B248C90A-125E-4EF4-9A57-E3F21739E1AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.19:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "666D7FB8-CFAB-4175-A5FF-505D8253CB4C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:3.0.20:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "26DBE285-55DF-4316-AEEC-782DD14C7379",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters."
},
{
"lang": "es",
"value": "Las funciones ec_ajax_update_option y ec_ajax_clear_all_taxrates en inc/admin/admin_ajax_functions.php en el plugin WP EasyCart desde la versi\u00f3n 1.1.30 hasta la 3.0.20 para WordPress permiten que atacantes remotos obtengan privilegios de administrador y ejecuten c\u00f3digo arbitrario mediante los par\u00e1metros option_name y option_value."
}
],
"id": "CVE-2015-2673",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-06T22:29:00.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-09 07:15
Modified
2024-11-21 07:59
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_deactivate_product function. This makes it possible for unauthenticated attackers to deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0BF27219-FD49-44FE-A353-A8444D0909A8",
"versionEndIncluding": "5.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_deactivate_product function. This makes it possible for unauthenticated attackers to deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"id": "CVE-2023-2893",
"lastModified": "2024-11-21T07:59:30.683",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-09T07:15:10.110",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1268604c-08eb-4d86-8e97-9cdaa3e19c1f?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1268604c-08eb-4d86-8e97-9cdaa3e19c1f?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2023-06-09 07:15
Modified
2024-11-21 07:59
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_deactivate_product function. This makes it possible for unauthenticated attackers to bulk deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0BF27219-FD49-44FE-A353-A8444D0909A8",
"versionEndIncluding": "5.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_deactivate_product function. This makes it possible for unauthenticated attackers to bulk deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"id": "CVE-2023-2894",
"lastModified": "2024-11-21T07:59:30.800",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-09T07:15:10.193",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a68b8df9-9b50-4617-9308-76a2a9036d7a?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a68b8df9-9b50-4617-9308-76a2a9036d7a?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2023-06-09 07:15
Modified
2024-11-21 07:59
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_delete_product function. This makes it possible for unauthenticated attackers to bulk delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0BF27219-FD49-44FE-A353-A8444D0909A8",
"versionEndIncluding": "5.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_delete_product function. This makes it possible for unauthenticated attackers to bulk delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"id": "CVE-2023-2892",
"lastModified": "2024-11-21T07:59:30.560",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-09T07:15:09.987",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b36e94e4-b1e8-4803-9377-c4d710b029de?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b36e94e4-b1e8-4803-9377-c4d710b029de?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2015-01-15 15:59
Modified
2025-04-12 10:46
Severity ?
Summary
Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "40D59AB1-45C8-425D-A33B-5D5A6FBD8EEE",
"versionEndIncluding": "3.0.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/."
},
{
"lang": "es",
"value": "Vulnerabilidad de la subida de ficheros sin restricciones en inc/amfphp/administration/banneruploaderscript.php en el plugin WP EasyCart (tambi\u00e9n conocido como WordPress Shopping Cart) anterior a 3.0.9 permite a usuarios remotos autenticados ejecutar c\u00f3digo arbitrario mediante la subida de un fichero con una extensi\u00f3n ejecutable, posteriormente accediendo a ello a trav\u00e9s de una solicitud directa al fichero en products/banners/."
}
],
"evaluatorComment": "\u003ca href=\"http://cwe.mitre.org/data/definitions/434.html\"\u003eCWE-434: Unrestricted Upload of File with Dangerous Type\u003c/a\u003e",
"id": "CVE-2014-9308",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-01-15T15:59:17.450",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/show/osvdb/116806"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/35730"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/71983"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://wordpress.org/plugins/wp-easycart/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/show/osvdb/116806"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/35730"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/71983"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://wordpress.org/plugins/wp-easycart/changelog/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-03 15:15
Modified
2025-02-14 17:15
Severity ?
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | https://wpscan.com/vulnerability/229b93cd-544b-4877-8d9f-e6debda9511c | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/229b93cd-544b-4877-8d9f-e6debda9511c | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "2310652E-6CBA-45D8-965C-A0C445A33ABB",
"versionEndExcluding": "5.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Shopping Cart \u0026 eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks."
}
],
"id": "CVE-2023-1124",
"lastModified": "2025-02-14T17:15:13.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-04-03T15:15:18.970",
"references": [
{
"source": "contact@wpscan.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/229b93cd-544b-4877-8d9f-e6debda9511c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://wpscan.com/vulnerability/229b93cd-544b-4877-8d9f-e6debda9511c"
}
],
"sourceIdentifier": "contact@wpscan.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-09 06:16
Modified
2024-11-21 07:59
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_delete_product function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0BF27219-FD49-44FE-A353-A8444D0909A8",
"versionEndIncluding": "5.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_delete_product function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"id": "CVE-2023-2891",
"lastModified": "2024-11-21T07:59:30.437",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-09T06:16:12.163",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcca7ade-8b35-4ba1-a8b4-b1e815b025e3?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcca7ade-8b35-4ba1-a8b4-b1e815b025e3?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2023-06-09 07:15
Modified
2024-11-21 07:59
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_activate_product function. This makes it possible for unauthenticated attackers to bulk activate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0BF27219-FD49-44FE-A353-A8444D0909A8",
"versionEndIncluding": "5.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_activate_product function. This makes it possible for unauthenticated attackers to bulk activate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"id": "CVE-2023-2895",
"lastModified": "2024-11-21T07:59:30.933",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-09T07:15:10.273",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fd8469-cd99-42dc-9a28-c0ea08512bb0?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fd8469-cd99-42dc-9a28-c0ea08512bb0?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2023-07-12 05:15
Modified
2024-11-21 08:16
Severity ?
Summary
The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in versions up to, and including, 5.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level or above permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "CDB130DF-8032-4593-A0B4-9E7BD3B1E866",
"versionEndExcluding": "5.4.11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018orderby\u2019 parameter in versions up to, and including, 5.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level or above permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"id": "CVE-2023-3023",
"lastModified": "2024-11-21T08:16:15.913",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "security@wordfence.com",
"type": "Primary"
}
]
},
"published": "2023-07-12T05:15:09.427",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2923668/wp-easycart/trunk/admin/inc/wp_easycart_admin_table.php"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9c1ddaf-4bf2-4937-b7bf-a09162db043e?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2923668/wp-easycart/trunk/admin/inc/wp_easycart_admin_table.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9c1ddaf-4bf2-4937-b7bf-a09162db043e?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified"
}
Vulnerability from fkie_nvd
Published
2023-06-09 07:15
Modified
2024-11-21 07:59
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_duplicate_product function. This makes it possible for unauthenticated attackers to duplicate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| wpeasycart | wp_easycart | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wpeasycart:wp_easycart:*:*:*:*:*:wordpress:*:*",
"matchCriteriaId": "0BF27219-FD49-44FE-A353-A8444D0909A8",
"versionEndIncluding": "5.4.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_duplicate_product function. This makes it possible for unauthenticated attackers to duplicate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"id": "CVE-2023-2896",
"lastModified": "2024-11-21T07:59:31.080",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@wordfence.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-09T07:15:10.347",
"references": [
{
"source": "security@wordfence.com",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "security@wordfence.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/041830b8-f059-46f5-961b-3ba908d161f9?source=cve"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/041830b8-f059-46f5-961b-3ba908d161f9?source=cve"
}
],
"sourceIdentifier": "security@wordfence.com",
"vulnStatus": "Modified"
}
CVE-2023-2896 (GCVE-0-2023-2896)
Vulnerability from cvelistv5
Published
2023-06-09 06:48
Modified
2024-12-20 23:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_duplicate_product function. This makes it possible for unauthenticated attackers to duplicate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| levelfourstorefront | Shopping Cart & eCommerce Store |
Version: * ≤ 5.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:03.538Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/041830b8-f059-46f5-961b-3ba908d161f9?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2896",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:22:49.873882Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:33:54.786Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shopping Cart \u0026 eCommerce Store",
"vendor": "levelfourstorefront",
"versions": [
{
"lessThanOrEqual": "5.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_duplicate_product function. This makes it possible for unauthenticated attackers to duplicate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T06:48:38.994Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/041830b8-f059-46f5-961b-3ba908d161f9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-22T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-25T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-27T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2896",
"datePublished": "2023-06-09T06:48:38.994Z",
"dateReserved": "2023-05-25T16:34:37.889Z",
"dateUpdated": "2024-12-20T23:33:54.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2894 (GCVE-0-2023-2894)
Vulnerability from cvelistv5
Published
2023-06-09 06:48
Modified
2024-12-20 23:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_deactivate_product function. This makes it possible for unauthenticated attackers to bulk deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| levelfourstorefront | Shopping Cart & eCommerce Store |
Version: * ≤ 5.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:02.446Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a68b8df9-9b50-4617-9308-76a2a9036d7a?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:22:44.828170Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:33:26.271Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shopping Cart \u0026 eCommerce Store",
"vendor": "levelfourstorefront",
"versions": [
{
"lessThanOrEqual": "5.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_deactivate_product function. This makes it possible for unauthenticated attackers to bulk deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T06:48:48.886Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a68b8df9-9b50-4617-9308-76a2a9036d7a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-22T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-25T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-27T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2894",
"datePublished": "2023-06-09T06:48:48.886Z",
"dateReserved": "2023-05-25T16:16:18.586Z",
"dateUpdated": "2024-12-20T23:33:26.271Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-3023 (GCVE-0-2023-3023)
Vulnerability from cvelistv5
Published
2023-07-12 04:38
Modified
2024-10-16 19:11
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in versions up to, and including, 5.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level or above permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| levelfourstorefront | Shopping Cart & eCommerce Store |
Version: * ≤ 5.4.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:04.123Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9c1ddaf-4bf2-4937-b7bf-a09162db043e?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2923668/wp-easycart/trunk/admin/inc/wp_easycart_admin_table.php"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-3023",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-16T19:09:37.739534Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-16T19:11:54.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shopping Cart \u0026 eCommerce Store",
"vendor": "levelfourstorefront",
"versions": [
{
"lessThanOrEqual": "5.4.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018orderby\u2019 parameter in versions up to, and including, 5.4.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level or above permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-12T04:38:49.121Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c9c1ddaf-4bf2-4937-b7bf-a09162db043e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2923668/wp-easycart/trunk/admin/inc/wp_easycart_admin_table.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-31T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-06-02T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-06-08T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-3023",
"datePublished": "2023-07-12T04:38:49.121Z",
"dateReserved": "2023-05-31T19:10:12.395Z",
"dateUpdated": "2024-10-16T19:11:54.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2891 (GCVE-0-2023-2891)
Vulnerability from cvelistv5
Published
2023-06-09 05:33
Modified
2024-12-20 23:35
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_delete_product function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| levelfourstorefront | Shopping Cart & eCommerce Store |
Version: * ≤ 5.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:02.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcca7ade-8b35-4ba1-a8b4-b1e815b025e3?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2891",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:23:23.325745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:35:54.315Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shopping Cart \u0026 eCommerce Store",
"vendor": "levelfourstorefront",
"versions": [
{
"lessThanOrEqual": "5.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_delete_product function. This makes it possible for unauthenticated attackers to delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T05:33:31.106Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bcca7ade-8b35-4ba1-a8b4-b1e815b025e3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-22T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-25T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-27T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2891",
"datePublished": "2023-06-09T05:33:31.106Z",
"dateReserved": "2023-05-25T16:02:38.711Z",
"dateUpdated": "2024-12-20T23:35:54.315Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9308 (GCVE-0-2014-9308)
Vulnerability from cvelistv5
Published
2015-01-15 15:00
Modified
2024-08-06 13:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.
References
| ▼ | URL | Tags |
|---|---|---|
| http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/71983 | vdb-entry, x_refsource_BID | |
| http://osvdb.org/show/osvdb/116806 | vdb-entry, x_refsource_OSVDB | |
| https://wordpress.org/plugins/wp-easycart/changelog/ | x_refsource_CONFIRM | |
| http://www.exploit-db.com/exploits/35730 | exploit, x_refsource_EXPLOIT-DB | |
| http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:40:25.111Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html"
},
{
"name": "71983",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/71983"
},
{
"name": "116806",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/show/osvdb/116806"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://wordpress.org/plugins/wp-easycart/changelog/"
},
{
"name": "35730",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/35730"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-01-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-01-15T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html"
},
{
"name": "71983",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/71983"
},
{
"name": "116806",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/show/osvdb/116806"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://wordpress.org/plugins/wp-easycart/changelog/"
},
{
"name": "35730",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/35730"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9308",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html"
},
{
"name": "71983",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/71983"
},
{
"name": "116806",
"refsource": "OSVDB",
"url": "http://osvdb.org/show/osvdb/116806"
},
{
"name": "https://wordpress.org/plugins/wp-easycart/changelog/",
"refsource": "CONFIRM",
"url": "https://wordpress.org/plugins/wp-easycart/changelog/"
},
{
"name": "35730",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/35730"
},
{
"name": "http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html",
"refsource": "MISC",
"url": "http://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9308",
"datePublished": "2015-01-15T15:00:00",
"dateReserved": "2014-12-07T00:00:00",
"dateUpdated": "2024-08-06T13:40:25.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2893 (GCVE-0-2023-2893)
Vulnerability from cvelistv5
Published
2023-06-09 06:48
Modified
2024-12-20 23:33
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_deactivate_product function. This makes it possible for unauthenticated attackers to deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| levelfourstorefront | Shopping Cart & eCommerce Store |
Version: * ≤ 5.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:02.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1268604c-08eb-4d86-8e97-9cdaa3e19c1f?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:22:47.393986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:33:35.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shopping Cart \u0026 eCommerce Store",
"vendor": "levelfourstorefront",
"versions": [
{
"lessThanOrEqual": "5.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_deactivate_product function. This makes it possible for unauthenticated attackers to deactivate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T06:48:40.891Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1268604c-08eb-4d86-8e97-9cdaa3e19c1f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-22T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-25T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-27T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2893",
"datePublished": "2023-06-09T06:48:40.891Z",
"dateReserved": "2023-05-25T16:08:00.877Z",
"dateUpdated": "2024-12-20T23:33:35.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2892 (GCVE-0-2023-2892)
Vulnerability from cvelistv5
Published
2023-06-09 06:48
Modified
2024-12-20 23:32
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_delete_product function. This makes it possible for unauthenticated attackers to bulk delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| levelfourstorefront | Shopping Cart & eCommerce Store |
Version: * ≤ 5.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:02.438Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b36e94e4-b1e8-4803-9377-c4d710b029de?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2892",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:22:39.638527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:32:55.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shopping Cart \u0026 eCommerce Store",
"vendor": "levelfourstorefront",
"versions": [
{
"lessThanOrEqual": "5.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_delete_product function. This makes it possible for unauthenticated attackers to bulk delete products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T06:48:50.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b36e94e4-b1e8-4803-9377-c4d710b029de?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-22T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-25T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-27T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2892",
"datePublished": "2023-06-09T06:48:50.216Z",
"dateReserved": "2023-05-25T16:04:33.232Z",
"dateUpdated": "2024-12-20T23:32:55.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-2673 (GCVE-0-2015-2673)
Vulnerability from cvelistv5
Published
2017-10-06 22:00
Modified
2024-08-06 05:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters.
References
| ▼ | URL | Tags |
|---|---|---|
| http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:24:38.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-09T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-2673",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/",
"refsource": "MISC",
"url": "http://blog.rastating.com/wp-easycart-privilege-escalation-information-disclosure/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-2673",
"datePublished": "2017-10-06T22:00:00",
"dateReserved": "2015-03-23T00:00:00",
"dateUpdated": "2024-08-06T05:24:38.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-1124 (GCVE-0-2023-1124)
Vulnerability from cvelistv5
Published
2023-04-03 14:38
Modified
2025-02-14 16:58
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/229b93cd-544b-4877-8d9f-e6debda9511c | exploit, vdb-entry, technical-description |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | Shopping Cart & eCommerce Store |
Version: 0 < 5.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T05:32:46.390Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/229b93cd-544b-4877-8d9f-e6debda9511c"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-1124",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T16:58:06.574101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T16:58:56.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"product": "Shopping Cart \u0026 eCommerce Store",
"vendor": "Unknown",
"versions": [
{
"lessThan": "5.4.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Shreya Pohekar"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Shopping Cart \u0026 eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-03T14:38:26.671Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/229b93cd-544b-4877-8d9f-e6debda9511c"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Shopping Cart \u0026 eCommerce Store \u003c 5.4.3 - Admin+ LFI",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2023-1124",
"datePublished": "2023-04-03T14:38:26.671Z",
"dateReserved": "2023-03-01T15:20:23.290Z",
"dateUpdated": "2025-02-14T16:58:56.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2895 (GCVE-0-2023-2895)
Vulnerability from cvelistv5
Published
2023-06-09 06:48
Modified
2024-12-20 23:34
Severity ?
VLAI Severity ?
EPSS score ?
Summary
The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_activate_product function. This makes it possible for unauthenticated attackers to bulk activate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| levelfourstorefront | Shopping Cart & eCommerce Store |
Version: * ≤ 5.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:41:03.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fd8469-cd99-42dc-9a28-c0ea08512bb0?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:22:52.632672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:34:04.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shopping Cart \u0026 eCommerce Store",
"vendor": "levelfourstorefront",
"versions": [
{
"lessThanOrEqual": "5.4.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alex Thomas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP EasyCart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 5.4.8. This is due to missing or incorrect nonce validation on the process_bulk_activate_product function. This makes it possible for unauthenticated attackers to bulk activate products via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-09T06:48:38.488Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02fd8469-cd99-42dc-9a28-c0ea08512bb0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/2917958/wp-easycart"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-05-22T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2023-05-25T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2023-05-27T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2023-2895",
"datePublished": "2023-06-09T06:48:38.488Z",
"dateReserved": "2023-05-25T16:16:52.256Z",
"dateUpdated": "2024-12-20T23:34:04.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}