CVE-2025-9367Cross-site Scripting in Welcart E-commerce

CWE-79Cross-site Scripting3 documents3 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 92.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Uscnanbu Welcart E-commerce
Timeline
PublishedSep 10

Description

The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 2.11.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disab

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages1 packages

CVEListV5uscnanbu/welcart_e-commerce2.11.20

🔴Vulnerability Details

2
CVEList
Welcart e-Commerce <= 2.11.20 - Authenticated (Editor+) Stored Cross-Site Scripting2025-09-10
GHSA
GHSA-9ww4-wpg6-6q9x: The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 22025-09-10
CVE-2025-9367 — Cross-site Scripting | cvebase