cleantalk
Vulnerabilities and Security Researches

Welcart e-Commerce, CVE-2025-9367

CVE, Research URL

CVE-2025-9367

Home page URL

Security reports for Welcart e-Commerce

Application

Welcart e-Commerce

Published on
Sep 10, 2025
Research Description
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 2.11.21.
Status
vulnerable
Previous vulnerability researches
Malware Scanner (CVE-2024-25902) , Jun 07, 2024
Malware Scanner (CVE-2022-1995) , Jun 07, 2024
Malware Scanner (CVE-2023-52176) , Jun 07, 2024
Malware Scanner (CVE-2024-2172) , Jun 07, 2024
New vulnerability
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts (CVE-2025-58269) , Apr 24, 2026
AnyClip Luminous Studio (CVE-2025-58271) , Apr 24, 2026
Getwid – Gutenberg Blocks (CVE-2025-58252) , Apr 24, 2026
Admin and Site Enhancements (ASE) (CVE-2025-9487) , Apr 24, 2026
VikBooking Hotel Booking Engine & PMS (CVE-2025-5803) , Apr 24, 2026