CVE-2025-10651 MEDIUM

CVE-2025-10651: Welcart e-Commerce <= 2.11.22 - Authenticated (Editor+) Stored Cross-Site Scripting via order_mail

Vendor Uscnanbu
Product Welcart e-Commerce
Weakness CWE-79 · XSS
Published October 22, 2025
Last update April 8, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page.

Explanation of Vulnerability in Simple Terms

02Summary

Welcart e-Commerce versions up to 2.11.22 contain a cross-site scripting (XSS) vulnerability that allows high-privilege users to inject malicious scripts. The vulnerability affects the site's scope, potentially impacting other users or components. An attacker with administrative or elevated access can craft input that executes JavaScript in browsers of other site visitors.

What an attacker can do

03Attacker Capabilities

Inject and execute malicious JavaScript in other users' browsers.

Potential impact on your site

04Site Impact

A compromised admin account can inject scripts affecting other users and site functionality.

Conditions required to exploit

05Prerequisites

Attacker must have high-level privileges (admin or equivalent role) on the site.

Key dates

06Disclosure timeline

October 22, 2025 CVE published
April 8, 2026 Record updated