Welcart e-Commerce, CVE-2025-10651

CVE, Research URL: CVE-2025-10651
Home page URL: Security reports for Welcart e-Commerce
Application: Welcart e-Commerce
Published on: Oct 22, 2025
Research Description: The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page.
Affected versions: max 2.11.23.
Status: vulnerable