Impact
The vulnerability is an unauthenticated Broken Access Control flaw that allows an attacker to gain unauthorized access to sensitive administrative functions or data within the Welcart e‑Commerce plugin. Classified as CWE‑862, the flaw results from missing or insufficient permission checks, potentially enabling exploitation to read, modify, or delete e‑commerce settings, orders, or customer information.
Affected Systems
Affected systems include WordPress installations using the Welcart e‑Commerce plugin version 2.11.28 or earlier. All sites running those versions, regardless of other plugins or themes, are potentially exposed because the plugin performs insufficient permission checks in its core code.
Risk and Exploitability
The CVSS score is 6.5, indicating moderate severity, and the EPSS score is less than 1%, suggesting a low likelihood of current exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Based on the description it is inferred that exploitation can occur over the network from any visitor without needing authentication, indicating a remote, unauthenticated attack vector.
OpenCVE Enrichment