CVE-2016-4828

medium

Published 2016-06-25 · Modified 2026-05-06

CVSS v3

6.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS v2

6.4

VIR risk

6.5

Description

The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account.

Predictions

Exploit likelihood

75%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://www.welcart.com/community/archives/78977

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvndb.jvn.jp/jvndb/JVNDB-2016-000118

vendor Authored 2026-05-27

Vendor advisory: vultures@jpcert.or.jp — http://jvn.jp/en/jp/JVN61578437/index.html

Application impact

Vendor	Product	Versions	Fixed
welcart	welcart_e-commerce	`{"endExcluding":"1.8.3"}`	`1.8.3`

References

http://jvn.jp/en/jp/JVN61578437/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000118
http://www.welcart.com/community/archives/78977
http://jvn.jp/en/jp/JVN61578437/index.html
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000118
http://www.welcart.com/community/archives/78977

CWEs

CWE-19

Verify integrity in audit chain (admin only). AS-IS.