Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Path Traversal.This issue affects Welcart e-Commerce: from n/a through <= 2.11.13.
Published: 2025-06-09
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to delete arbitrary files on the server because the Welcart e‑Commerce plugin for WordPress does not properly constrain user supplied paths, resulting in a path traversal flaw identified as CWE‑22. By exploiting this weakness the attacker’s deletion could compromise application data, configuration files, or assets, leading to loss of confidentiality and integrity of the site’s file system.

Affected Systems

Welcart e‑Commerce plugin for WordPress, all versions up to and including 2.11.13 supplied by info@welcart, are affected. Any WordPress site installed with these versions inherits the path traversal flaw.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, while an EPSS score of less than 1% suggests a low current probability of exploitation. The vulnerability is not listed in CISA's KEV catalog, implying no widespread exploitation has been reported. Based on the description, it is inferred that an attacker could trigger the file deletion through a crafted request that walks out of the intended directory boundaries.

Generated by OpenCVE AI on May 1, 2026 at 07:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Welcart e‑Commerce plugin to version 2.11.14 or later to remove the path traversal flaw.
  • Limit access to the plugin’s deletion functionality to administrative users, or disable the feature if it is not required.
  • Configure the web‑root and plugin directories with restrictive file permissions so that only authorized users can delete files.

Generated by OpenCVE AI on May 1, 2026 at 07:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17518 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in nanbu Welcart e-Commerce allows Path Traversal. This issue affects Welcart e-Commerce: from n/a through 2.11.13.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

 cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in nanbu Welcart e-Commerce allows Path Traversal. This issue affects Welcart e-Commerce: from n/a through 2.11.13. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Path Traversal.This issue affects Welcart e-Commerce: from n/a through <= 2.11.13.
Title WordPress Welcart e-Commerce <= 2.11.13 - Arbitrary File Deletion Vulnerability WordPress Welcart e-Commerce plugin <= 2.11.13 - Arbitrary File Deletion Vulnerability
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00058}

 epss

{'score': 0.00063}

Wed, 25 Jun 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Welcart
Welcart welcart E-commerce
CPEs cpe:2.3:a:welcart:welcart_e-commerce:*:*:*:*:*:wordpress:*:*
Vendors & Products Welcart
Welcart welcart E-commerce

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in nanbu Welcart e-Commerce allows Path Traversal. This issue affects Welcart e-Commerce: from n/a through 2.11.13.
Title WordPress Welcart e-Commerce <= 2.11.13 - Arbitrary File Deletion Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H'}

Subscriptions

Welcart Welcart E-commerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:43.371Z

Reserved: 2025-05-07T09:39:30.830Z

Link: CVE-2025-47511

cve-icon Vulnrichment

Updated: 2025-06-10T13:57:29.550Z

cve-icon NVD

Status : Modified

Published: 2025-06-09T16:15:41.393

Modified: 2026-04-23T15:30:22.280

Link: CVE-2025-47511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:45:06Z

Weaknesses