{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10651", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-17T19:03:50.937Z", "datePublished": "2025-10-22T05:27:56.728Z", "dateUpdated": "2026-04-08T17:35:16.305Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:16.305Z"}, "affected": [{"vendor": "uscnanbu", "product": "Welcart e-Commerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.11.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page."}], "title": "Welcart e-Commerce <= 2.11.22 - Authenticated (Editor+) Stored Cross-Site Scripting via order_mail", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff1f81e8-64ed-4330-9c76-1a8d2e2d307d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3374769/usc-e-shop"}, {"url": "https://www.welcart.com/archives/26052.html"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Miguel Santareno"}], "timeline": [{"time": "2025-09-17T19:19:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-21T17:22:23.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T13:33:37.362904Z", "id": "CVE-2025-10651", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T13:33:50.557Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10651", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-22T13:33:37.362904Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T13:33:41.564Z"}}], "cna": {"title": "Welcart e-Commerce <= 2.11.22 - Authenticated (Editor+) Stored Cross-Site Scripting via order_mail", "credits": [{"lang": "en", "type": "finder", "value": "Miguel Santareno"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "uscnanbu", "product": "Welcart e-Commerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.11.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-17T19:19:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-21T17:22:23.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff1f81e8-64ed-4330-9c76-1a8d2e2d307d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3374769/usc-e-shop"}, {"url": "https://www.welcart.com/archives/26052.html"}], "descriptions": [{"lang": "en", "value": "The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:16.305Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10651", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:35:16.305Z", "dateReserved": "2025-09-17T19:03:50.937Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-22T05:27:56.728Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page."}], "id": "CVE-2025-10651", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-22T06:15:31.210", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3374769/usc-e-shop"}, {"source": "security@wordfence.com", "url": "https://www.welcart.com/archives/26052.html"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff1f81e8-64ed-4330-9c76-1a8d2e2d307d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:11:25.181690+00:00", "value": {"mitigation_remediation": ["Upgrade Welcart e\u2011Commerce to a version later than 2.11.22 that contains the fixed sanitization for the order_mail setting. ", "Clean the order_mail field by removing any existing JavaScript or other suspicious content that may have been saved prior to the update. ", "Restrict the ability of non\u2011essential users to edit the General Settings page or the order_mail field, or otherwise eliminate Editor+ permissions for that capability until a reliable patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Authenticated Stored Cross\u2011Site Scripting enabled by the order_mail field"}, "threat_synthesis": {"affected_systems": "The flaw exists in Welcart e\u2011Commerce versions up to and including 2.11.22. Only users who can authenticate and have at least Editor level permissions can exploit the issue; the vulnerability is not exploitable by unauthenticated users or users with lower privileges.", "description_and_impact": "The vulnerability arises from insufficient sanitization of the order_mail setting in the Welcart e\u2011Commerce plugin. An authenticated user with Editor or higher privileges can insert arbitrary JavaScript into this field via the General Settings page. When an administrator subsequently opens the E\u2011mail Settings page, the stored script is rendered and executed in the administrator\u2019s browser, allowing the attacker to steal session cookies, perform actions under the administrator\u2019s account, or redirect the administrator to malicious sites. This is a classic stored cross\u2011site scripting flaw (CWE\u201179), providing an attacker with the ability to compromise the integrity of the administrative session and potentially exfiltrate sensitive data.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate overall risk, while the EPSS score of less than 1% suggests that exploitation is unlikely in the near term and the vulnerability has not been observed in active exploitation campaigns (KEV status is not listed). Exploitation requires an authenticated Editor+ user to inject malicious code into the order_mail field, after which an administrator must visit the email settings page for the attack to trigger. The limited attack vector and need for privileged access keep the probability of exploitation low, but the impact is significant if successfully triggered."}}}}, "created": "2025-10-23T10:07:56.099008+00:00", "updated": "2026-04-21T02:15:06.530631+00:00", "vendors": ["welcart", "welcart$PRODUCT$e-commerce", "welcart$PRODUCT$welcart_e-commerce", "wordpress", "wordpress$PRODUCT$wordpress"]}