CVE-2025-10651
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-22

Last updated on: 2025-10-22

Assigner: Wordfence

Description
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-22
Last Modified
2025-10-22
Generated
2026-06-16
AI Q&A
2025-10-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-10651
EUVD
EUVD-2025-35353
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
welcart welcart *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in the Welcart e-Commerce plugin for WordPress, specifically in versions up to and including 2.11.22. It occurs because the 'order_mail' setting does not properly sanitize input or escape output. An authenticated attacker with Editor-level permissions or higher can inject malicious scripts via the General Setting page. These scripts then execute when an administrator views the E-mail Setting page, potentially compromising the admin's session or data.

Impact Analysis

This vulnerability can allow an attacker with Editor-level access to inject malicious JavaScript code into the plugin's settings. When an administrator accesses the E-mail Setting page, the injected script executes in their browser, potentially leading to session hijacking, unauthorized actions, or data theft. This compromises the security of the WordPress site and its administrators.

Detection Guidance

This vulnerability can be detected by checking if the Welcart e-Commerce plugin version is 2.11.22 or earlier, as these versions are vulnerable. Additionally, inspecting the 'order_mail' setting in the plugin's General Setting page for suspicious or injected scripts could indicate exploitation. Since the vulnerability involves stored Cross-Site Scripting (XSS) via the 'order_mail' field, reviewing the database entries for this field for unexpected script tags or payloads is recommended. Specific commands are not provided in the resources.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Welcart e-Commerce plugin to version 2.11.23 or later, which includes security enhancements that sanitize and validate the 'order_mail' and other email-related fields to prevent XSS attacks. Users running version 2.11 or later will receive this update automatically, while those on earlier versions should update manually. Ensuring the environment runs supported PHP (7.4 to 8.2) and WordPress (5.6 to 6.8) versions is also recommended. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart