CVE-2025-10651 – Welcart e-Commerce

CVE ID : CVE-2025-10651

Published : Oct. 22, 2025, 6:15 a.m. | 27 minutes ago

Description : The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘order_mail’ setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page.

Severity: 5.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…