CVE-2025-0511: 
WordPress vulnerability analysis and mitigation

The Welcart e-Commerce plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-0511) discovered in all versions up to and including 2.11.9. The vulnerability was disclosed on February 12, 2025, and affects the plugin's 'name' parameter functionality (NVD CVE).

The vulnerability stems from insufficient input sanitization and output escaping in the 'name' parameter. This security flaw has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. However, Wordfence has assessed it with a higher CVSS score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N (NVD CVE).

The vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute whenever a user accesses an injected page. This can lead to potential data theft, session hijacking, or other malicious actions performed in the context of the affected user's session (NVD CVE).

The vulnerability has been patched in version 2.11.10 of the Welcart e-Commerce plugin. Users are strongly advised to update to this version or later to protect against potential attacks (WordPress Plugin).