The Welcart e-Commerce plugin for WordPress contains a missing capability check on the 'usces_export' action in all releases up to 2.11.24. This flaw allows an attacker without any user credentials to view confidential information such as payment processor secrets, contact details, mail templates, and other store settings. The vulnerability originates from a missing access control (CWE‑862) and results in unauthorized disclosure of data that may compromise payment processing, privacy, and business operations. The potential impact is the exposure of sensitive operational information to unauthenticated users; no code execution or denial of service is described.

Vulnerable installations of the Welcart e‑Commerce WordPress plugin, version 2.11.24 or older. The issue affects all hosts running these plugin versions regardless of WordPress configuration, as the flaw is in the plugin’s action handler and applies to any site using the exposed export endpoint.

The CVSS score of 5.3 indicates the flaw is of moderate severity. The EPSS value of <1% signals that the likelihood of real‑world exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog, further suggesting it is not actively exploited at scale. However, attackers could easily discover the exported data via a simple HTTP request to the 'usces_export' URL when the plugin is running an affected version, emphasizing the need for a timely fix.