CVE-2025-58984 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the nanbu Welcart e-Commerce platform up to version 2.11.20. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, user-supplied input is not adequately sanitized or encoded before being included in web pages, allowing attackers to inject malicious scripts that are stored persistently on the server. When other users or administrators access the affected pages, the malicious scripts execute in their browsers within the context of the vulnerable site. This can lead to theft of session cookies, user impersonation, defacement, or redirection to malicious sites. The CVSS v3.1 base score is 5.9, reflecting a medium severity level. The vector indicates that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. Confidentiality, integrity, and availability impacts are all low. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on September 9, 2025, shortly after being reserved on September 6, 2025.

For European organizations using the Welcart e-Commerce platform, this vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data. Attackers with high privileges (e.g., authenticated administrators or trusted users) could inject malicious scripts that execute when other users visit affected pages, potentially leading to session hijacking, unauthorized actions, or distribution of malware. This could damage customer trust, lead to data breaches involving personal or payment information, and cause reputational harm. The availability impact is low but could manifest if attackers use XSS to deface or disrupt the e-commerce site. Given the e-commerce context, even medium-severity vulnerabilities can have significant business impact due to potential financial losses and regulatory consequences under GDPR if personal data is compromised. The requirement for high privileges and user interaction somewhat limits exploitation but does not eliminate risk, especially in environments with multiple administrators or users with elevated rights.

Organizations should prioritize applying any forthcoming patches from nanbu for Welcart e-Commerce to address this vulnerability. In the absence of patches, immediate mitigation steps include implementing strict input validation and output encoding on all user-supplied data rendered in web pages, especially in administrative interfaces. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of injected scripts. Review and minimize the number of users with high privileges to reduce attack surface. Conduct regular security audits and penetration testing focusing on XSS vectors. Educate administrators and users about the risks of clicking on suspicious links or executing untrusted scripts. Additionally, consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting Welcart e-Commerce. Monitoring logs for unusual activity related to script injection attempts can also help in early detection.