Skip to main content

Welcart e-Commerce EUVD-2026-36895

| CVE-2026-49775 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-vh2q-m85w-97h5
Authentication Bypass Welcart E Commerce
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-reachable with no auth or interaction required; no confidentiality impact; low integrity and availability impact align with missing-authorization scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:50 vuln.today
CVE Published
Jun 15, 2026 - 20:19 cve.org
MEDIUM 6.5

DescriptionCVE.org

Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions.

AnalysisAI

Unauthenticated broken access control in the Welcart e-Commerce WordPress plugin (versions up to and including 2.11.28) permits remote attackers without any credentials to bypass authorization checks and perform restricted actions. Rooted in CWE-862 (Missing Authorization), the flaw exposes low-severity but tangible integrity and availability impacts against any WordPress installation running the affected plugin. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Enumerate WordPress plugin via HTTP headers or readme.txt
Delivery
Identify Welcart e-Commerce ≤2.11.28
Exploit
Send unauthenticated crafted request to unprotected endpoint
Execution
Bypass missing authorization check
Impact
Modify store data or degrade availability
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No authentication is required (CVSS PR:N) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 6.5 (Medium) reflects network-reachable, low-complexity exploitation with no privilege or user-interaction requirement, but constrained impact (C:N/I:L/A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote, unauthenticated attacker identifies a WordPress site running Welcart e-Commerce 2.11.28 or earlier through standard CMS fingerprinting or plugin enumeration. The attacker sends a crafted HTTP request - likely an AJAX POST or REST API call - directly to the vulnerable unprotected endpoint, bypassing the plugin's missing authorization gate. …
Remediation The primary remediation is to update the Welcart e-Commerce plugin to a version above 2.11.28 via the WordPress admin dashboard or WP-CLI (wp plugin update usc-e-shop). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-36895 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy