CVE-2025-10649 is a SQL Injection vulnerability identified in the Welcart e-Commerce plugin for WordPress, a widely used e-commerce solution in Japan and other markets. The vulnerability arises from improper neutralization of special characters in SQL commands (CWE-89), specifically due to insufficient escaping of user-supplied cookie values and the absence of prepared statements in SQL queries. Authenticated attackers with Author-level or higher privileges can exploit this flaw by injecting additional SQL commands into existing queries, enabling them to extract sensitive information from the backend database. The attack vector is remote and network accessible, requiring no user interaction beyond authentication. The vulnerability affects all versions up to and including 2.11.21. The CVSS v3.1 base score is 6.5, indicating a medium severity with high confidentiality impact but no impact on integrity or availability. No known exploits have been reported in the wild, and no official patches have been released at the time of publication. The vulnerability underscores the importance of proper input validation, use of parameterized queries, and strict privilege management within WordPress plugins handling sensitive data.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the database, which may include customer data, transaction records, and configuration details. Since the vulnerability requires authenticated access at Author level or above, the risk is limited to users who already have some level of trust within the system, but it significantly elevates their ability to compromise confidentiality. The lack of impact on data integrity and availability reduces the risk of destructive attacks such as data tampering or denial of service. However, the exposure of sensitive data can lead to privacy violations, regulatory non-compliance, reputational damage, and potential downstream attacks leveraging the extracted information. Organizations running Welcart e-Commerce on WordPress sites, especially those with multiple authors or contributors, face increased risk if access controls are lax or if attackers can escalate privileges to Author level. The medium severity rating reflects a moderate but actionable threat that requires timely mitigation to prevent data breaches.

1. Immediately restrict Author-level and higher privileges to trusted users only, minimizing the attack surface. 2. Monitor and audit user activity and database queries for unusual patterns indicative of SQL injection attempts. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting cookie parameters. 4. Apply principle of least privilege to database accounts used by the plugin, limiting data exposure if exploited. 5. Until an official patch is released, consider disabling or replacing the Welcart e-Commerce plugin if feasible. 6. Encourage plugin developers or site administrators to update the plugin code to use prepared statements and proper input sanitization for all user-supplied data, including cookies. 7. Regularly back up databases and maintain incident response plans to quickly address potential data breaches. 8. Educate site administrators about the risks of privilege escalation and the importance of strong authentication controls.