Lucene search

[email protected]NVD:CVE-2021-4355

HistoryJun 07, 2023 - 2:15 a.m.

CVE-2021-4355

2023-06-0702:15:13

CWE-862

[email protected]

web.nvd.nist.gov

welcart e-commerce

wordpress

authorization bypass

capability checks

admin_init hooks

unauthenticated attackers

vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

39.5%

JSON

The Welcart e-Commerce plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the download_orderdetail_list(), change_orderlist(), and download_member_list() functions called via admin_init hooks in versions up to, and including, 2.2.7. This makes it possible for unauthenticated attackers to download lists of members, products and orders.

Affected configurations

NVD

Node

collnewelcart_e-commerceRange≤2.2.7wordpress

References

blog.nintechnet.com/wordpress-welcart-e-commerce-plugin-fixed-vulnerabilities/

www.wordfence.com/threat-intel/vulnerabilities/id/671f5ba5-1f18-49fa-aa97-eaebdb3417bb?source=cve

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

39.5%

JSON

Related for NVD:CVE-2021-4355

cvelist1 cve1 prion1