CVE-2025-54012: 
WordPress vulnerability analysis and mitigation

A Deserialization of Untrusted Data vulnerability (CVE-2025-54012) was discovered in nanbu Welcart e-Commerce plugin affecting versions through 2.11.16. The vulnerability was reported on June 8, 2025, by researcher 63n0 and was publicly disclosed on August 12, 2025 (Patchstack).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data) and allows for PHP Object Injection. It received a CVSS v3.1 Base Score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high privileges required (NVD).

The vulnerability could potentially allow malicious actors to execute code injection, SQL injection, path traversal, or denial of service attacks if a proper POP chain is present. The impact severity is rated as Medium, with the vulnerability expected to become actively exploited (Patchstack).

The vulnerability has been patched in version 2.11.17 of the Welcart e-Commerce plugin. Users are advised to update to this version or later immediately. Additionally, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).