WordPress Friendly Functions for Welcart plugin <= 1.2.5 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Kai Aizen in WordPress Plugin Friendly Functions for Welcart versions = 1.2.5...

CVE-2026-1208

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin setting...

CVE-2026-1208

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin setting...

Exploit for CVE-2026-1208

CVE-2026-1208: Cross-Site Request Forgery in Friendly Function...

CVE-2025-12979

The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'uscesexport' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials ex...

CVE-2025-10649

The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated...

PT-2025-41247

Name of the Vulnerable Software and Affected Versions Welcart e-Commerce plugin for WordPress versions through 2.11.21 Description The Welcart e-Commerce plugin for WordPress is susceptible to SQL Injection through the cookie. Insufficient escaping of user-supplied values and inadequate preparati...

EUVD-2016-5809

Malware in sbrugna...

EUVD-2012-5100

Malware in sbrugna...

EUVD-2012-5101

Malware in sbrugna...

EUVD-2015-3056

Malware in sbrugna...

EUVD-2023-58375

Malicious code in bioql PyPI...

CVE-2025-9367 Welcart e-Commerce <= 2.11.20 - Authenticated (Editor+) Stored Cross-Site Scripting

The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and...

WordPress Welcart e-Commerce Plugin <= 2.11.16 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by 63n0 in WordPress Plugin Welcart e-Commerce versions = 2.11.16...

CVE-2024-10726

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to inject malicious w...

CVE-2023-5952

The Welcart e-Commerce WordPress plugin before 2.9.5 unserializes user input from cookies, which could allow unautehtniacted users to perform PHP Object Injection when a suitable gadget is present on the blog...

CVE-2022-4236

The Welcart e-Commerce WordPress plugin before 2.8.5 does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server...

CVE-2022-3946

The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods...

CVE-2012-5178

Cross-site request forgery CSRF vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase...

CVE-2012-5177

Cross-site scripting XSS vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...