{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12979", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-10T19:00:51.010Z", "datePublished": "2025-11-13T03:27:37.857Z", "dateUpdated": "2026-04-08T16:42:36.554Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:42:36.554Z"}, "affected": [{"vendor": "uscnanbu", "product": "Welcart e-Commerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.11.24", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials (ex. PayPal api secret) , as well as business contact details, mail templates, and other operational settings tied to the store."}], "title": "Welcart e-Commerce <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26255cd9-2361-4d17-8d1b-9bdadcc69043?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394001%40usc-e-shop&new=3394001%40usc-e-shop&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Marcin Dudek"}], "timeline": [{"time": "2025-11-10T19:16:05.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-12T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-13T14:27:42.682974Z", "id": "CVE-2025-12979", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T14:34:29.933Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-13T14:27:42.682974Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-13T14:27:44.903Z"}}], "cna": {"title": "Welcart e-Commerce <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Marcin Dudek"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "uscnanbu", "product": "Welcart e-Commerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.11.24"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T19:16:05.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-12T00:00:00.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26255cd9-2361-4d17-8d1b-9bdadcc69043?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394001%40usc-e-shop&new=3394001%40usc-e-shop&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials (ex. PayPal api secret) , as well as business contact details, mail templates, and other operational settings tied to the store."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-13T03:27:37.857Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12979", "state": "PUBLISHED", "dateUpdated": "2025-11-13T14:34:29.933Z", "dateReserved": "2025-11-10T19:00:51.010Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-13T03:27:37.857Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials (ex. PayPal api secret) , as well as business contact details, mail templates, and other operational settings tied to the store."}], "id": "CVE-2025-12979", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-13T04:15:46.730", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394001%40usc-e-shop&new=3394001%40usc-e-shop&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26255cd9-2361-4d17-8d1b-9bdadcc69043?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:41:09.904278+00:00", "value": {"mitigation_remediation": ["Update the Welcart e\u2011Commerce plugin to version 2.11.25 or later, which removes the missing capability check on 'usces_export'.", "If an update is not immediately possible, block access to the 'usces_export' endpoint at the web server level (e.g., via .htaccess or firewall rules) to prevent unauthenticated requests.", "After applying a fix, review the stored payment credentials and other exported data for signs of compromise and rotate any exposed secrets or credentials."], "summary": {"action": "PatchNow", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "Vulnerable installations of the Welcart e\u2011Commerce WordPress plugin, version 2.11.24 or older. The issue affects all hosts running these plugin versions regardless of WordPress configuration, as the flaw is in the plugin\u2019s action handler and applies to any site using the exposed export endpoint.", "description_and_impact": "The Welcart e-Commerce plugin for WordPress contains a missing capability check on the 'usces_export' action in all releases up to 2.11.24. This flaw allows an attacker without any user credentials to view confidential information such as payment processor secrets, contact details, mail templates, and other store settings. The vulnerability originates from a missing access control (CWE\u2011862) and results in unauthorized disclosure of data that may compromise payment processing, privacy, and business operations. The potential impact is the exposure of sensitive operational information to unauthenticated users; no code execution or denial of service is described.", "risk_and_exploitability": "The CVSS score of 5.3 indicates the flaw is of moderate severity. The EPSS value of <1% signals that the likelihood of real\u2011world exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog, further suggesting it is not actively exploited at scale. However, attackers could easily discover the exported data via a simple HTTP request to the 'usces_export' URL when the plugin is running an affected version, emphasizing the need for a timely fix."}}}}, "created": "2025-11-13T15:50:09.444014+00:00", "updated": "2026-04-22T16:45:21.461125+00:00", "vendors": ["uscnanbu", "uscnanbu$PRODUCT$welcart_e-commerce", "wordpress", "wordpress$PRODUCT$wordpress"]}