CVE-2025-10651

Description

The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the order_mail setting in versions up to, and including, 2.11.22. This is due to insufficient sanitization on the order_mail field and a lack of escaping on output. This makes it possible for authenticated attackers, with Editor-level permissions and above, to inject arbitrary web scripts via the General Setting page that will execute when an administrator accesses the E-mail Setting page.