CVE-2025-0511
📋 TL;DR
The Welcart e-Commerce plugin for WordPress has a stored cross-site scripting (XSS) vulnerability in the 'name' parameter that allows unauthenticated attackers to inject malicious scripts. These scripts execute automatically when users visit compromised pages, potentially stealing credentials or hijacking sessions. All WordPress sites using Welcart versions up to 2.11.9 are affected.
💻 Affected Systems
- Welcart e-Commerce plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, deface websites, or redirect users to malicious sites, potentially leading to complete site compromise and data theft.
Likely Case
Attackers inject malicious scripts to steal user session cookies or credentials, enabling account takeover and unauthorized access to sensitive e-commerce data.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, though legacy vulnerable versions remain at risk until patched.
🎯 Exploit Status
Exploitation is straightforward as it requires no authentication and involves simple script injection via the 'name' parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.11.10 or later
Vendor Advisory: https://wordpress.org/plugins/usc-e-shop/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Welcart e-Commerce' and click 'Update Now'. 4. Verify the plugin version is 2.11.10 or higher.
🔧 Temporary Workarounds
Input Sanitization via WordPress Hooks
WordPressAdd custom code to sanitize the 'name' parameter before processing.
Add to theme's functions.php or a custom plugin: add_filter('preprocess_welcart_name', 'sanitize_text_field');
🧯 If You Can't Patch
- Temporarily disable the Welcart plugin if e-commerce functionality is not critical, but note this will break online store operations.
- Implement a web application firewall (WAF) rule to block malicious input patterns targeting the 'name' parameter.
🔍 How to Verify
Check if Vulnerable:
Check the plugin version in WordPress admin under Plugins > Installed Plugins; if Welcart version is 2.11.9 or lower, it is vulnerable.Check Version:
In WordPress, run: wp plugin list --name='Welcart e-Commerce' --field=versionVerify Fix Applied:
After updating, confirm the plugin version is 2.11.10 or higher in the same location and test that script injection via the 'name' parameter is blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to Welcart endpoints with script tags in 'name' parameter
- Increased error logs related to input validation failures
Network Indicators:
- HTTP requests containing malicious script payloads in the 'name' parameter to Welcart plugin URLs
SIEM Query:
source="wordpress.log" AND "name=<script>" AND "usc-e-shop"🔗 References
- https://plugins.trac.wordpress.org/browser/usc-e-shop/trunk/functions/settlement_func.php#L612
- https://plugins.trac.wordpress.org/changeset/3235131/
- https://wordpress.org/plugins/usc-e-shop/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6c26270b-a0a7-4877-aa66-bffe260003df?source=cve
