What the vulnerability does
01Description
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page.
Explanation of Vulnerability in Simple Terms
02Summary
Welcart e-Commerce versions up to 2.11.22 contain a cross-site scripting (XSS) vulnerability that allows high-privilege users to inject malicious scripts. The vulnerability affects the site's scope, potentially impacting other users or components. An attacker with administrative or elevated access can craft input that executes JavaScript in browsers of other site visitors.
What an attacker can do
03Attacker Capabilities
Inject and execute malicious JavaScript in other users' browsers.
Potential impact on your site
04Site Impact
A compromised admin account can inject scripts affecting other users and site functionality.
Conditions required to exploit
05Prerequisites
Attacker must have high-level privileges (admin or equivalent role) on the site.
Key dates
06Disclosure timeline
October 22, 2025
CVE published
April 8, 2026
Record updated