CVE-2025-10651 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Welcart e-Commerce plugin for WordPress. The flaw exists due to insufficient input sanitization on the 'order_mail' configuration field and a lack of proper output escaping when rendering this data on the E-mail Setting page. Authenticated users with Editor-level permissions or higher can exploit this by injecting arbitrary JavaScript code into the 'order_mail' field via the General Setting page. When an administrator subsequently accesses the E-mail Setting page, the malicious script executes in their browser context, potentially allowing session hijacking, privilege escalation, or other malicious actions within the admin interface. The vulnerability affects all versions up to and including 2.11.22. The attack vector is remote network-based with low attack complexity, requiring no user interaction beyond the admin viewing the page. The vulnerability impacts confidentiality and integrity but not availability, and the scope is confined to WordPress sites running the vulnerable Welcart plugin. No patches or exploit code are currently publicly available, but the vulnerability has been officially published and assigned a CVSS 3.1 score of 5.5, indicating medium severity.

The primary impact of this vulnerability is the potential for attackers with Editor-level access to execute persistent malicious scripts in the context of administrative users. This can lead to theft of administrator session cookies, unauthorized actions performed with admin privileges, and compromise of sensitive site data. Since the vulnerability affects the administrative interface, it can facilitate privilege escalation and persistent control over the e-commerce site. Organizations relying on Welcart e-Commerce for WordPress risk data leakage, unauthorized order manipulation, or site defacement. The vulnerability does not directly affect availability but can undermine trust and operational integrity. Given the widespread use of WordPress and the popularity of e-commerce plugins, this vulnerability poses a moderate risk to online retailers, especially those with multiple editors or administrators managing their sites.

To mitigate this vulnerability, organizations should immediately update the Welcart e-Commerce plugin to a version that addresses this issue once available. In the absence of an official patch, administrators should restrict Editor-level permissions strictly to trusted users and audit existing user roles to minimize exposure. Implementing Web Application Firewall (WAF) rules to detect and block suspicious input patterns in the 'order_mail' field can provide temporary protection. Additionally, administrators should avoid accessing the E-mail Setting page until the vulnerability is resolved. Employing Content Security Policy (CSP) headers can help reduce the impact of injected scripts. Regular security audits and monitoring for unusual administrative activity are also recommended. Finally, educating site administrators about the risks of stored XSS and safe plugin management practices will help prevent exploitation.