CVE-2025-10651 is a stored cross-site scripting vulnerability identified in the Welcart e-Commerce plugin for WordPress, a popular e-commerce solution primarily used in Japan but also adopted internationally. The vulnerability exists in versions up to and including 2.11.22 due to improper neutralization of input (CWE-79) in the 'order_mail' setting. Specifically, the plugin fails to sufficiently sanitize user input on this field and does not escape output when rendering the E-mail Setting page. This flaw allows an authenticated attacker with Editor-level or higher permissions to inject arbitrary JavaScript code into the 'order_mail' field via the General Setting page. When an administrator subsequently visits the E-mail Setting page, the malicious script executes in their browser context. This can lead to session hijacking, privilege escalation, or other malicious actions within the administrative interface. The vulnerability requires no user interaction beyond the administrator visiting the affected page, but it does require the attacker to have elevated privileges (Editor or above). The CVSS 3.1 base score is 5.5, reflecting medium severity with network attack vector, low attack complexity, and partial impact on confidentiality and integrity but no impact on availability. No public exploits are currently known, and no official patches have been linked yet. The vulnerability highlights the importance of proper input validation and output escaping in web applications, especially in plugins that handle sensitive administrative settings.

For European organizations, this vulnerability poses a significant risk primarily to the confidentiality and integrity of administrative accounts and data within WordPress environments using the Welcart e-Commerce plugin. An attacker exploiting this flaw could execute arbitrary scripts in the context of an administrator, potentially leading to session hijacking, unauthorized changes to e-commerce settings, or theft of sensitive information such as customer data and order details. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations), and financial losses. Since the vulnerability requires Editor-level access, it could be exploited by insider threats or compromised accounts. The scope is limited to organizations using the affected plugin versions, but given WordPress’s widespread use in Europe and the popularity of e-commerce solutions, the impact could be broad. The lack of known exploits reduces immediate risk, but the medium severity score indicates that timely mitigation is necessary to prevent future attacks.

European organizations should take the following specific actions: 1) Immediately audit user roles and restrict Editor-level and higher permissions to trusted personnel only, minimizing the attack surface. 2) Monitor and review changes to the 'order_mail' setting and other administrative configurations for suspicious activity. 3) Implement web application firewalls (WAFs) with rules to detect and block malicious script injections targeting the 'order_mail' parameter. 4) Apply strict input validation and output escaping in custom code or request the vendor to release a patch addressing the sanitization and escaping issues. 5) Educate administrators to avoid visiting untrusted or suspicious pages within the WordPress dashboard. 6) Regularly update WordPress and plugins to the latest versions once patches become available. 7) Consider isolating administrative interfaces behind VPNs or IP whitelisting to reduce exposure. These steps go beyond generic advice by focusing on role management, monitoring, and proactive filtering tailored to this vulnerability’s characteristics.