CVE-2025-9367 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Welcart e-Commerce plugin for WordPress, affecting all versions up to and including 2.11.20. The vulnerability stems from insufficient input sanitization and output escaping of settings data within the plugin, which allows authenticated users with editor-level permissions or higher to inject arbitrary JavaScript code into pages. These scripts are stored persistently and executed whenever any user accesses the affected pages, leading to potential compromise of user sessions, theft of sensitive information, or unauthorized actions performed on behalf of users. The vulnerability specifically affects multi-site WordPress installations or single-site installations where the unfiltered_html capability is disabled, limiting the scope but still posing a significant risk in those environments. The attack vector requires network access and authenticated privileges at the editor level or above, but no user interaction is needed once the malicious script is injected. The CVSS 3.1 base score of 5.5 reflects a medium severity, with low confidentiality and integrity impacts and no availability impact. No public exploits have been reported yet, but the vulnerability's nature makes it a potential target for attackers seeking to leverage trusted site contexts for malicious purposes. The vulnerability was reserved in August 2025 and published in September 2025, with no official patches linked yet, indicating that users should monitor vendor updates closely.

The primary impact of CVE-2025-9367 is the potential for attackers with editor-level access to inject persistent malicious scripts into web pages served by the Welcart e-Commerce plugin. This can lead to session hijacking, credential theft, unauthorized actions performed on behalf of users, and defacement or manipulation of website content. Since the vulnerability affects multi-site WordPress installations and those with unfiltered_html disabled, organizations running such configurations are at risk of having multiple sites compromised through a single injection point. The impact on confidentiality and integrity is moderate, as attackers can steal sensitive user data or manipulate content, but there is no direct impact on availability. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments where editor-level accounts may be compromised or insufficiently controlled. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation. Overall, organizations using Welcart e-Commerce in multi-site setups face a tangible risk of reputational damage, data breaches, and potential regulatory consequences if the vulnerability is exploited.

To mitigate CVE-2025-9367, organizations should: 1) Immediately audit user roles and permissions to ensure that only trusted users have editor-level or higher access, minimizing the risk of malicious script injection. 2) Monitor and restrict multi-site WordPress installations where possible, or apply strict content filtering and input validation on plugin settings. 3) Enable and enforce the use of security plugins that provide additional XSS protection and content sanitization layers. 4) Regularly update the Welcart e-Commerce plugin as soon as the vendor releases a patch addressing this vulnerability. 5) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts on affected sites. 6) Conduct thorough code reviews and penetration testing focused on input sanitization and output escaping in custom plugins and themes. 7) Educate administrators and editors about the risks of injecting untrusted content and the importance of secure content management practices. 8) Consider disabling or limiting the use of unfiltered_html capability where feasible to reduce attack vectors. These measures collectively reduce the likelihood of exploitation and limit the impact if an injection occurs.