CVE-2025-12979 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Welcart e-Commerce plugin for WordPress, maintained by uscnanbu. The flaw arises because the plugin fails to perform a capability check on the 'usces_export' action, which is responsible for exporting store data. This missing authorization check allows unauthenticated attackers to invoke this action remotely without any credentials or user interaction. As a result, attackers can access sensitive information including configured payment credentials (e.g., PayPal API secrets), business contact details, mail templates, and other operational settings related to the e-commerce store. The vulnerability affects all versions up to and including 2.11.24. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based with low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can read sensitive data, but there is no direct impact on integrity or availability. No patches are currently linked, and no known exploits have been reported in the wild. However, the exposure of payment credentials can lead to financial fraud or further compromise if leveraged by attackers. The vulnerability is significant for e-commerce operators relying on Welcart, especially those handling sensitive payment and business data.

For European organizations, the impact of this vulnerability can be substantial. Unauthorized access to payment credentials such as PayPal API secrets can lead to fraudulent transactions, financial losses, and reputational damage. Exposure of business contact details and operational settings can facilitate targeted phishing campaigns or social engineering attacks. Additionally, leaked mail templates may reveal internal communication patterns or sensitive business processes. Given the widespread use of WordPress and the popularity of Welcart in European e-commerce markets, especially among small and medium enterprises, this vulnerability could affect a broad range of businesses. The breach of confidentiality may also lead to non-compliance with GDPR regulations, resulting in legal penalties and fines. While the vulnerability does not directly impact system integrity or availability, the indirect consequences of data leakage and fraud can disrupt business operations and customer trust.

Organizations should immediately audit their use of the Welcart e-Commerce plugin and verify the version in use. Since no official patch links are currently available, administrators should consider temporarily disabling the 'usces_export' functionality or restricting access to it via web application firewalls (WAFs) or server-level access controls. Implementing IP whitelisting or authentication requirements for accessing export functions can reduce exposure. Monitoring web server logs for unusual or repeated access attempts to the 'usces_export' endpoint is critical to detect exploitation attempts early. Organizations should also review and rotate any exposed payment credentials, such as PayPal API secrets, to prevent misuse. Regular backups and incident response plans should be updated to handle potential data breaches. Once a patch is released by the vendor, it should be applied promptly. Additionally, educating staff about phishing risks stemming from leaked contact information can help mitigate follow-on attacks.