Directory Traversal Vulnerability in Welcart e-Commerce Plugin for WordPress
CVE-2023-6120

2.7LOW

Key Information:

Vendor

Wordpress
Status
Welcart E-commerce
Vendor
CVE Published:
9 December 2023

What is CVE-2023-6120?

The Welcart e-Commerce plugin for WordPress is affected by a directory traversal vulnerability that allows unauthorized file uploads. Specifically, through the 'upload_certificate_file' function, this vulnerability permits administrators to upload .pem or .crt files to arbitrary locations on the server, potentially leading to serious security risks. All versions up to and including 2.9.6 are impacted, necessitating immediate attention from site administrators.

Affected Version(s)

Welcart e-Commerce * <= 2.9.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset/2992785/usc-...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.