CVE-2025-12979Missing Authorization in Welcart E-commerce

CWE-862Missing Authorization3 documents3 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 78.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Uscnanbu Welcart E-commerce
Timeline
PublishedNov 13

Description

The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' action in all versions up to, and including, 2.11.24. This makes it possible for unauthenticated attackers to access configured payment credentials (ex. PayPal api secret) , as well as business contact details, mail templates, and other operational settings tied to the store.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

CVEListV5uscnanbu/welcart_e-commerce2.11.24

🔴Vulnerability Details

2
GHSA
GHSA-q7jj-p6j2-p9x6: The Welcart e-Commerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'usces_export' actio2025-11-13
CVEList
Welcart e-Commerce <= 2.11.24 - Missing Authorization to Unauthenticated Information Exposure2025-11-13
CVE-2025-12979 — Missing Authorization | cvebase