A SQL Injection vulnerability has been identified in the WordPress Welcart e-Commerce plugin. This vulnerability could allow a malicious actor to directly interact with the database, including but not limited to stealing information.

This vulnerability was discovered and responsibly reported by Unknown.

The vulnerability is a SQL Injection vulnerability that occurs in the welcart-e-commerce.php file. The vulnerability allows an attacker to exploit a flaw in the way that the plugin handles user input to inject malicious SQL code into the database.


The vulnerability has a CVSS 3.1 score of 7.6, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

As of the latest information, a patched version (at least 2.8.22) is available to address the SQL Injection vulnerability in the Welcart e-Commerce Plugin.


An attacker who successfully exploits this vulnerability could:

  • Inject malicious SQL code into the database, which could allow them to:
    • Steal sensitive data, such as user information, credit card numbers, and product details.
    • Modify or delete data in the database.
    • Take control of the database and the website.


Given the gravity of this vulnerability, immediate action is essential to secure the website:

  • Update the Plugin: Ensure that promptly update the Welcart e-Commerce Plugin to the latest available version, at least version 2.8.22. This update contains the necessary security fixes to address the SQL Injection vulnerability.
  • Regularly Update Plugins: Beyond this specific update, make it a practice to regularly update all WordPress plugins and themes to their latest versions. Keeping website components up to date is a fundamental security measure.