|
[Japanese]
|
JVNDB-2024-000100
|
Multiple vulnerabilities in WordPress plugin "Welcart e-Commerce"
|
|
WordPress plugin "Welcart e-Commerce" provided by Welcart Inc. contains multiple vulnerabilities listed below.
- SQL injection (CWE-89) - CVE-2024-42404
- Cross-site scripting (CWE-79) - CVE-2024-45366
Shogo Kumamaru of LAC CyberLink Co., Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 8.8 (High) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2024-42404
|
CVSS V3 Severity:
Base Metrics:6.1 (Medium) [Other]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2024-45366
|
|
|
Welcart
- Welcart e-Commerce versions prior to 2.11.2
|
|
|
- An attacker who can login to the product may obtain or alter the information stored in the database (CVE-2024-42404)
- An arbitrary script may be executed on the user's web browser (CVE-2024-45366)
|
|
[Update the plugin]
Update the plugin according to the information provided by the developer.
The developer has released the following version that addresses these vulnerabilities.
* Welcart e-Commerce 2.11.2
|
|
Welcart
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
- SQL Injection(CWE-89) [IPA Evaluation]
|
|
- CVE-2024-42404
- CVE-2024-45366
|
|
- JVN : JVN#19766555
|
|
- [2024/09/18]
Web page was published
|
