The vulnerability arises from insufficient sanitization of the order_mail setting in the Welcart e‑Commerce plugin. An authenticated user with Editor or higher privileges can insert arbitrary JavaScript into this field via the General Settings page. When an administrator subsequently opens the E‑mail Settings page, the stored script is rendered and executed in the administrator’s browser, allowing the attacker to steal session cookies, perform actions under the administrator’s account, or redirect the administrator to malicious sites. This is a classic stored cross‑site scripting flaw (CWE‑79), providing an attacker with the ability to compromise the integrity of the administrative session and potentially exfiltrate sensitive data.

The flaw exists in Welcart e‑Commerce versions up to and including 2.11.22. Only users who can authenticate and have at least Editor level permissions can exploit the issue; the vulnerability is not exploitable by unauthenticated users or users with lower privileges.

The CVSS score of 5.5 indicates moderate overall risk, while the EPSS score of less than 1% suggests that exploitation is unlikely in the near term and the vulnerability has not been observed in active exploitation campaigns (KEV status is not listed). Exploitation requires an authenticated Editor+ user to inject malicious code into the order_mail field, after which an administrator must visit the email settings page for the attack to trigger. The limited attack vector and need for privileged access keep the probability of exploitation low, but the impact is significant if successfully triggered.