CVE-2026-4080

The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'addtocart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectpaddtocart function...

EUVD-2026-33892

The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'addtocart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectpaddtocart function...

CVE-2026-4080

The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'addtocart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectpaddtocart function...

PT-2026-45707

The Easy Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add to cart' shortcode in all versions up to and including 1.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the ectp add to cart...

CVE-2026-2019

The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval function. This makes it possible for authenticated...

WordPress Cart All In One For WooCommerce plugin <= 1.1.21 - Authenticated (Administrator+) Code Injection via 'sc_assign_page' Setting vulnerability

Authenticated Administrator+ Code Injection via 'scassignpage' Setting vulnerability discovered by Phap Nguyen Anh - FIS in WordPress Plugin Cart All In One For WooCommerce versions = 1.1.21...

WordPress Ecwid Shopping Cart plugin <= 7.0.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Rapid0nion in WordPress Plugin Ecwid Shopping Cart versions = 7.0.5...

CVE-2016-10951

The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter...

CVE-2023-1124

The Shopping Cart & eCommerce Store WordPress plugin before 5.4.3 does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks...

CVE-2025-3890

The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpcartbutton' shortcode in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

WordPress Ecwid Shopping Cart plugin <= 7.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Ngô Thiên An ancorn from VNPT-VCI in WordPress Plugin Ecwid Shopping Cart versions = 7.0...

CVE-2024-3211

The Shopping Cart & eCommerce Store plugin for WordPress is vulnerable to SQL Injection via the 'productid' attribute of the ecaddtocart shortcode in all versions up to, and including, 5.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2024-12712

CVE-2024-12712 affects the Shopping Cart & eCommerce Store (WordPress) plugin, citing a missing capability check on the webhook function that allowed unauthenticated modification of order statuses in all versions up to 5.7.8. Public sources from Red Hat and Wordfence indicate this was patched in ...

PT-2025-1934 · WordPress · Shopping Cart & Ecommerce Store

Name of the Vulnerable Software and Affected Versions: The Shopping Cart & eCommerce Store plugin for WordPress versions up to, and including, 5.7.8 Description: The issue is related to a missing capability check on the webhook function, allowing unauthenticated attackers to modify order statuses...

CVE-2024-12253 Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal <= 3.1.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update / Data Access

The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'savesettings', 'exportcsv', and 'simpleecommcart-action' actions in all versions up to, and including, 3.1.2. This makes it...

PT-2024-17509 · WordPress · The Simple Ecommerce Shopping Cart Plugin

Name of the Vulnerable Software and Affected Versions: The Simple Ecommerce Shopping Cart Plugin- Sell products through Paypal plugin for WordPress versions up to, and including, 3.1.2 Description: The issue is related to a missing capability check on the 'save settings', 'export csv', and...

CVE-2024-6073

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

WordPress plugin Inquiry cart security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in WordPress...

PT-2024-34698 · WordPress · Inquiry Cart Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Inquiry cart WordPress plugin versions 3.4.2 and earlier Description: The issue concerns the lack of CSRF checks in some areas of the plugin, as well as missing sanitization and escaping. This could allow attackers to make logged-in admins ad...

WordPress Shopping Cart & eCommerce Store plugin <= 5.6.3 - Authenticated (Contributor+) SQL Injection vulnerability

Authenticated Contributor+ SQL Injection vulnerability discovered by Krzysztof Zając in WordPress Plugin WP EasyCart versions = 5.6.3...