CVE-2015-2973

Name of the Vulnerable Software and Affected Versions Welcart plugin versions prior to 1.4.18 for WordPress

Description The issue allows remote attackers to inject arbitrary web script or HTML via the usces referer parameter to various PHP files, including classes/usceshop.class.php, includes/edit-form-advanced.php, includes/edit-form-advanced30.php, includes/edit-form-advanced34.php, includes/member edit form.php, includes/order edit form.php, includes/order list.php, and includes/usces item master list.php, related to admin.php.

Recommendations For Welcart plugin versions prior to 1.4.18, update to version 1.4.18 or later to resolve the issue. As a temporary workaround, consider restricting access to the usces referer parameter in the affected PHP files until a patch is available.