CVE-2022-3946

MEDIUM

Welcart e-Commerce < 2.8.4 - Authenticated Missing Authorization in AJAX Shipping Method Management

Title source: llm
STIX 2.1

Description

The Welcart e-Commerce WordPress plugin before 2.8.4 does not have authorisation and CSRF in an AJAX action, allowing any logged-in user to create, update and delete shipping methods.

References (1)

Core 1
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/b48e4e1d-e682-4b16-81dc-2feee78d7ed0

Scores

CVSS v3 6.5
EPSS 0.0033
EPSS Percentile 24.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352 CWE-862
Status published
Products (1)
welcart/welcart_e-commerce < 2.8.4
Published Dec 12, 2022
Tracked Since Feb 18, 2026