Description
The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-02-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting
Action: Patch
AI Analysis

Impact

The plugin contains an unsanitized 'name' input that is stored and later output without proper escaping, allowing any attacker to embed malicious scripts. When an affected page is viewed, the injected code executes in the victim's browser, potentially stealing session cookies, defacing the site, or redirecting the user to malicious domains. This flaw is classified as a stored cross‑site scripting vulnerability (CWE‑79) and can be triggered without any authentication.

Affected Systems

Vulnerable versions of the plugin are all releases of Welcart e‑Commerce for WordPress up to and including 2.11.9. The risk applies to installations that have not upgraded beyond this build.

Risk and Exploitability

The CVSS base score of 7.2 indicates a high severity, but the EPSS score is below 1 %, suggesting that automated exploitation is presently low. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by submitting a crafted 'name' value through any input interface that writes the data to the database, such as product creation or order entry, and then influence a legitimate user to view the affected page.

Generated by OpenCVE AI on April 22, 2026 at 13:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Welcart e‑Commerce to the latest version (2.12.0 or later) where the 'name' field is properly sanitized and escaped.
  • If upgrading immediately is not possible, restrict the use of the 'name' parameter to authenticated administrators or hard‑code it to safe values; otherwise disable the feature.
  • Deploy a web application firewall or configure your security plugin to detect and block stored XSS payloads in input data.

Generated by OpenCVE AI on April 22, 2026 at 13:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1727 The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00086}

 epss

{'score': 0.002}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00217}

 epss

{'score': 0.00086}

Thu, 20 Feb 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Welcart
Welcart welcart E-commerce
CPEs cpe:2.3:a:welcart:welcart_e-commerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Welcart
Welcart welcart E-commerce

Wed, 12 Feb 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Feb 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Welcart e-Commerce <= 2.11.9 - Unauthenticated Stored Cross-Site Scripting via name Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Welcart Welcart E-commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:09.250Z

Reserved: 2025-01-15T23:20:06.101Z

Link: CVE-2025-0511

cve-icon Vulnrichment

Updated: 2025-02-12T14:35:22.958Z

cve-icon NVD

Status : Analyzed

Published: 2025-02-12T12:15:29.210

Modified: 2025-02-20T20:35:03.573

Link: CVE-2025-0511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:30:17Z

Weaknesses