CVE-2025-47511
BaseFortify
Publication date: 2025-06-09
Last updated on: 2026-04-23
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| welcart | welcart_e-commerce | to 2.11.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Welcart e-Commerce WordPress plugin (up to version 2.11.13) is an Arbitrary File Deletion issue caused by improper limitation of pathnames, also known as a Path Traversal vulnerability. It allows an attacker with Editor-level privileges to delete arbitrary files on the website, potentially targeting core files and causing site malfunction or complete breakdown. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to deletion of arbitrary files on your website, which may result in site malfunction or a complete breakdown of your e-commerce platform. The severity is medium with a CVSS score of 6.8, and attackers could opportunistically exploit it to disrupt your siteβs operation. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the Welcart e-Commerce plugin version is 2.11.13 or earlier, as these versions are affected. Since the vulnerability allows arbitrary file deletion by users with Editor-level privileges, monitoring for unusual file deletions or modifications in the website files can help detect exploitation. Patchstack recommends professional incident response and server-side malware scanning because plugin-based malware scanners may be unreliable. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Welcart e-Commerce plugin to version 2.11.14 or later, which resolves the vulnerability. Patchstack also provides a virtual patch (vPatch) that blocks attacks until the official update can be applied. Users are advised to apply this virtual patch if immediate updating is not possible. Additionally, seeking professional incident response and performing server-side malware scanning is recommended if compromise is suspected. [1]