The Welcart e-Commerce plugin for WordPress contains a SQL Injection flaw that an attacker can exploit by manipulating a cookie. The insufficient escaping of user supplied values in the query construction allows the execution of arbitrary SQL statements. The associated weakness is CWE-89. An attacker with Author or higher privileges can craft a cookie to append malicious SQL that may read or modify sensitive database contents, leading to data theft or corruption. The attack vector is inferred from the description: the vulnerability is triggered by sending a crafted cookie in an authenticated web request, though the CVE entry does not explicitly state the transport mechanism.

All installations of Welcart e-Commerce version 2.11.21 or earlier on WordPress sites. The plugin is distributed by the vendor uscnanbu. Users running these versions are susceptible; newer releases beyond 2.11.21 are not affected.

The CVSS score of 6.5 indicates a medium severity. The EPSS score of less than 1% shows a very low probability of exploitation at this time, and it is not listed in the CISA KEV catalog. However, the vulnerability requires authenticated access with Author-level privileges, which many site administrators or content authors possess. Attackers can trigger the flaw by sending an HTTP request containing a crafted cookie; this inference is based on the description that manipulation occurs via a cookie. Thus the likely attack vector is an authenticated web request with a modified cookie. Given the limited scope of required privileges, the risk is moderate but could be severe if the attacker gains access to privileged accounts.